Google has submitted a new CVE for a vulnerability identified in libwebp, an open-source library for handling images in WebP format. WebP allows for smaller image sizes, reducing download times and improving website performance, and is supported by popular web browsers.
Google initially reported the issue as a flaw in Google Chrome (CVE-2023-4863) with a severity rating of 8.8 (High), but the company subsequently issued the WebP vulnerability under CVE-2023-5129 assigning the maximum severity rating possible – 10/10 (Critical).
The vulnerability, a heap-based buffer overflow, can lead to arbitrary code execution and application crashes on vulnerable targets when processing maliciously crafted WebP images. The issue affects Chrome browser versions prior to 116.0.5845.187.
Apple Security Engineering and Architecture (SEAR) and Citizen Lab at the University of Toronto jointly reported the finding.
Given its open-source origin, the vulnerability likely impacts other applications that use the libwebp software. According to CISA, attackers are exploiting the vulnerability in the wild.
Want more security news?
Check out our latest Cybersecurity Daily and Malware Roundup.