8.8

CVE-2023-4863

Warnung
Medienbericht
Exploit
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleChrome Version < 116.0.5845.187
FedoraprojectFedora Version37
FedoraprojectFedora Version38
FedoraprojectFedora Version39
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
DebianDebian Linux Version12.0
MozillaFirefox SwEditionesr Version < 102.15.1
MozillaFirefox SwEdition- Version < 117.0.1
MozillaFirefox SwEditionesr Version >= 115.1.0 < 115.2.1
MozillaThunderbird Version < 102.15.1
MozillaThunderbird Version >= 115.0 < 115.2.2
MicrosoftEdge Chromium Version < 116.0.1938.81
MicrosoftTeams SwPlatformmacos Version < 1.6.00.26463
MicrosoftTeams SwEditiondesktop Version < 1.6.00.26474
MicrosoftWebp Image Extension Version < 1.0.62681.0
WebmprojectLibwebp Version < 1.3.2
NetappActive Iq Unified Manager Version- SwPlatformvmware_vsphere
BentleySeequent Leapfrog Version < 2023.2
BandisoftHoneyview Version < 5.51

13.09.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Google Chromium WebP Heap-Based Buffer Overflow Vulnerability

Schwachstelle

Google Chromium WebP contains a heap-based buffer overflow vulnerability that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect applications that use the WebP Codec.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.74% 1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
01.07.2026 16:44
http://www.openwall.com/lists/oss-security/2023/09/28/2
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/28/4
Mailing List
https://security.gentoo.org/glsa/202401-10
Third Party Advisory
https://security.gentoo.org/glsa/202309-05
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/21/4
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/1
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/3
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/4
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/5
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/6
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/7
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/8
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/26/1
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/26/7
Mailing List
http://www.openwall.com/lists/oss-security/2023/09/28/1
Mailing List
https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/
Third Party Advisory
https://blog.isosceles.com/the-webp-0day/
Third Party Advisory
Exploit
https://bugzilla.suse.com/show_bug.cgi?id=1215231
Third Party Advisory
Issue Tracking
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
Vendor Advisory
https://crbug.com/1479274
Vendor Advisory
Issue Tracking
https://en.bandisoft.com/honeyview/history/
Release Notes
https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
Patch
https://github.com/webmproject/libwebp/releases/tag/v1.3.2
Release Notes
https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/
Mailing List
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
Patch
Third Party Advisory
https://news.ycombinator.com/item?id=37478403
Third Party Advisory
Exploit
https://security-tracker.debian.org/tracker/CVE-2023-4863
Third Party Advisory
Issue Tracking
https://security.netapp.com/advisory/ntap-20230929-0011/
Third Party Advisory
https://sethmlarson.dev/security-developer-in-residence-weekly-report-16
Exploit
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
Third Party Advisory
Exploit
https://www.bentley.com/advisories/be-2023-0001/
Third Party Advisory
https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/
Third Party Advisory
https://www.debian.org/security/2023/dsa-5496
Mailing List
https://www.debian.org/security/2023/dsa-5497
Mailing List
https://www.debian.org/security/2023/dsa-5498
Third Party Advisory
Mailing List
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
Third Party Advisory
https://www.vicarius.io/vsociety/posts/zero-day-webp-vulnerability-cve-2023-4863
Third Party Advisory
Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4863
US Government Resource