Vulnerability DatabaseCVE-2023-4863
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-4863
September 12, 2023
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Affected Packages
libwebp (CONAN):
Affected version(s) >=1.0.3 <1.3.2
Fix Suggestion:
Update to version 1.3.2
github.com/chai2010/webp (GO):
Affected version(s) >=v1.1.2-0.20220219151144-e81c7511b15a <v1.4.0
Fix Suggestion:
Update to version v1.4.0
github.com/chai2010/webp (GO):
Affected version(s) >=v0.0.0-20141126011551-e5bfb994b5ca <v1.1.2-0.20250406010349-76805d5a8860
Fix Suggestion:
Update to version v1.1.2-0.20250406010349-76805d5a8860
electron (NPM):
Affected version(s) >=24.0.0 <24.8.3
Fix Suggestion:
Update to version 24.8.3
electron (NPM):
Affected version(s) >=25.0.0 <25.8.1
Fix Suggestion:
Update to version 25.8.1
electron (NPM):
Affected version(s) =27.0.0-beta.1 <27.0.0-beta.2
Fix Suggestion:
Update to version 27.0.0-beta.2
electron (NPM):
Affected version(s) >=22.0.0 <22.3.24
Fix Suggestion:
Update to version 22.3.24
electron (NPM):
Affected version(s) >=26.0.0 <26.2.1
Fix Suggestion:
Update to version 26.2.1
magick.net-q16-hdri-anycpu (NUGET):
Affected version(s) >=6.8.9.101 <13.3.0
Fix Suggestion:
Update to version 13.3.0
magick.net-q8-x64 (NUGET):
Affected version(s) >=6.8.5.401 <13.3.0
Fix Suggestion:
Update to version 13.3.0
magick.net-q16-anycpu (NUGET):
Affected version(s) >=6.8.8.1001 <13.3.0
Fix Suggestion:
Update to version 13.3.0
skiasharp (NUGET):
Affected version(s) >=2.80.0 <2.88.6
Fix Suggestion:
Update to version 2.88.6
magick.net-q16-x64 (NUGET):
Affected version(s) >=6.8.5.401 <13.3.0
Fix Suggestion:
Update to version 13.3.0
magick.net-q8-openmp-x64 (NUGET):
Affected version(s) >=7.14.0 <13.3.0
Fix Suggestion:
Update to version 13.3.0
magick.net-q8-anycpu (NUGET):
Affected version(s) >=6.8.8.1001 <13.3.0
Fix Suggestion:
Update to version 13.3.0
pillow (PYTHON):
Affected version(s) >=1.0 <10.0.1
Fix Suggestion:
Update to version 10.0.1
webp (RUST):
Affected version(s) >=0.0.0 <0.2.6
Fix Suggestion:
Update to version 0.2.6
libwebp-sys2 (RUST):
Affected version(s) >=0.1.0 <0.1.8
Fix Suggestion:
Update to version 0.1.8
libwebp-sys (RUST):
Affected version(s) >=0.1.0 <0.9.3
Fix Suggestion:
Update to version 0.9.3
Related ResourcesĀ (79)
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
http://www.openwall.com/lists/oss-security/2023/09/22/5
http://www.openwall.com/lists/oss-security/2023/09/26/7
https://github.com/webmproject/libwebp/releases/tag/v1.3.2
https://blog.isosceles.com/the-webp-0day/
https://github.com/electron/electron/pull/39826
https://en.bandisoft.com/honeyview/history
https://github.com/jaredforth/webp/commit/9d4c56e63abecc777df71c702503c3eaabd7dcbc
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX
https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/
https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html#security
https://www.bentley.com/advisories/be-2023-0001/
https://github.com/qnighy/libwebp-sys2-rs/commit/4560c473a76ec8bd8c650f19ddf9d7a44f719f8b
http://www.openwall.com/lists/oss-security/2023/09/22/6
https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/
http://www.openwall.com/lists/oss-security/2023/09/22/3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/
https://github.com/electron/electron/pull/39828
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
https://www.bentley.com/advisories/be-2023-0001
https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
https://crates.io/crates/libwebp-sys
https://www.debian.org/security/2023/dsa-5496
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT
http://www.openwall.com/lists/oss-security/2023/09/22/7
https://security.gentoo.org/glsa/202309-05
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/
https://github.com/python-pillow/Pillow/pull/7395
https://www.debian.org/security/2023/dsa-5497
https://security-tracker.debian.org/tracker/CVE-2023-4863
http://www.openwall.com/lists/oss-security/2023/09/28/2
https://www.debian.org/security/2023/dsa-5498
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX
https://github.com/jaredforth/webp/pull/30
http://www.openwall.com/lists/oss-security/2023/09/22/1
https://security.netapp.com/advisory/ntap-20230929-0011/
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863
https://security.netapp.com/advisory/ntap-20230929-0011
http://www.openwall.com/lists/oss-security/2023/09/28/4
http://www.openwall.com/lists/oss-security/2023/09/26/1
https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway
https://crbug.com/1479274
http://www.openwall.com/lists/oss-security/2023/09/21/4
http://www.openwall.com/lists/oss-security/2023/09/22/8
https://security.gentoo.org/glsa/202401-10
https://github.com/electron/electron/pull/39827
https://en.bandisoft.com/honeyview/history/
https://www.vicarius.io/vsociety/posts/zero-day-webp-vulnerability-cve-2023-4863
https://bugzilla.suse.com/show_bug.cgi?id=1215231
https://sethmlarson.dev/security-developer-in-residence-weekly-report-16
https://github.com/qnighy/libwebp-sys2-rs/pull/21
https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html
https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html
http://www.openwall.com/lists/oss-security/2023/09/28/1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/
https://github.com/webmproject/libwebp
https://github.com/ImageMagick/ImageMagick/discussions/6664
https://rustsec.org/advisories/RUSTSEC-2023-0061.html
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://blog.isosceles.com/the-webp-0day
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB
http://www.openwall.com/lists/oss-security/2023/09/22/4
https://news.ycombinator.com/item?id=37478403
https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/
https://github.com/dlemstra/Magick.NET/releases/tag/13.3.0
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/
https://github.com/electron/electron/pull/39825
https://github.com/electron/electron/pull/39823
https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html
https://rustsec.org/advisories/RUSTSEC-2023-0060.html
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
ATTACKED
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Exploit Maturity
HIGH
Weakness Type (CWE)
Out-of-bounds Write
CWE-787
EPSS
Base Score:
93.61