CVE-2023-4863

CVSS v3.1 8.8 (High)

EPSS 63.64 % (98^th)

Affected Products 13

Advisories 71

NVD Status Analyzed

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Weaknesses

CWE-787: Out-of-bounds Write

Related CVEs

CVE-2023-5129

CVE Status: PUBLISHED
NVD Status: Analyzed
CNA: Chrome
Published Date: 2023-09-12 15:15:24
(12 months ago)
Updated Date: 2024-07-31 18:19:23
(6 weeks ago)

Google Chromium WebP Heap-Based Buffer Overflow Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)

Description: Google Chromium WebP contains a heap-based buffer overflow vulnerability that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect applications that use the WebP Codec.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known to be Used in Ransomware Campaigns: Unknown
Notes: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html?m=1; https://nvd.nist.gov/vuln/detail/CVE-2023-4863

Vendor: Google
Product: Chromium WebP
In CISA Catalog from: 2023-09-13
(12 months ago)
Due Date: 2023-10-04
(11 months ago)

Affected Products

Microsoft

Mozilla

Netapp

Active Iq Unified Manager

Webmproject

Libwebp

Configuration #1

		CPE23	From	Up To
	Google Chrome prior 116.0.5845.187 version	cpe:2.3:a:google:chrome		< 116.0.5845.187

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 37	cpe:2.3:o:fedoraproject:fedora:37
	Fedoraproject Fedora 38	cpe:2.3:o:fedoraproject:fedora:38
	Fedoraproject Fedora 39	cpe:2.3:o:fedoraproject:fedora:39

Configuration #3

		CPE23	From	Up To
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0
	Debian Linux 12.0	cpe:2.3:o:debian:debian_linux:12.0

Configuration #4

	CPE23	From	Up To
Mozilla Firefox prior 117.0.1 version	cpe:2.3:a:mozilla:firefox		< 117.0.1
Mozilla Firefox Esr prior 102.15.1 version	cpe:2.3:a:mozilla:firefox_esr		< 102.15.1
Mozilla Firefox Esr from 115.0 version and prior 115.2.1 version	cpe:2.3:a:mozilla:firefox_esr	>= 115.0	< 115.2.1
Mozilla Thunderbird prior 102.15.1 version	cpe:2.3:a:mozilla:thunderbird		< 102.15.1
Mozilla Thunderbird from 115.0 version and prior 115.2.2 version	cpe:2.3:a:mozilla:thunderbird	>= 115.0	< 115.2.2

Configuration #5

	CPE23	Up To
Microsoft Edge prior 117.0.2045.31 version	cpe:2.3:a:microsoft:edge	< 117.0.2045.31
Microsoft Edge Chromium prior 117.0.5938.62 version	cpe:2.3:a:microsoft:edge_chromium	< 117.0.5938.62
Microsoft Teams 1.6.00.26463 for Macos	cpe:2.3:a:microsoft:teams:1.6.00.26463:::::macos
Microsoft Teams 1.6.00.26474 for Desktop	cpe:2.3:a:microsoft:teams:1.6.00.26474:::::desktop
Microsoft Webp Image Extension 1.0.62681.0	cpe:2.3:a:microsoft:webp_image_extension:1.0.62681.0

Configuration #6

		CPE23	From	Up To
	Webmproject Libwebp prior 1.3.2 version	cpe:2.3:a:webmproject:libwebp		< 1.3.2

Configuration #7

		CPE23	From	Up To
	Netapp Active Iq Unified Manager for Vmware Vsphere	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere

Configuration #8

		CPE23	From	Up To
	Bentley Seequent Leapfrog prior 2023.2 version	cpe:2.3:a:bentley:seequent_leapfrog		< 2023.2