CVE-2023-5129: Critical Heap Buffer Overflow Bug in libwebp Library Affects Major Browsers

Google has reclassified a previously identified security vulnerability in the open-source libwebp library, which is used to encode and decode images in WebP format, as a critical issue with a maximum 10/10 severity rating. The vulnerability, now tracked under CVE-2023-5129, allows attackers to execute out-of-bounds memory writes using maliciously crafted HTML pages which could lead to crashes, unauthorized code execution, and more alarmingly, access to classified information.

Earlier, when Google unearthed a security vulnerability within its prolific Chrome browser, it was marked as CVE-2023-4863. But, like layers of an onion, deeper inspection revealed that the vulnerability was not just skin-deep. It rested at the heart of Google’s open-source libwebp library, a toolset designed to encode and decode the emerging WebP image format.

Recognizing the depth of this security flaw, Google has assigned a fresh identity: CVE-2023-5129, alongside a daunting 10/10 severity rating. The gravity of this flaw? A heap buffer overflow in WebP, affecting Google Chrome versions earlier than 116.0.5845.187.

For those delving into the technical underbelly, this vulnerability is nestled within the Huffman coding algorithm, libwebp’s trusted aide for lossless compression. Through this flaw, potential adversaries can wield maliciously designed HTML pages to execute out-of-bounds memory writes. In layman’s terms, imagine letting a robber into your bank’s vault by mistakenly handing over the keys. The outcomes are predictably catastrophic: unexpected crashes, unauthorized code execution, and more alarmingly, access to classified information.

The mechanism? A maliciously tailored WebP lossless file might lead libwebp into mistakenly writing data beyond its boundary to the heap. The oversights in the kTableSize array and ReplicateValue are essentially the broken locks in this security framework.

While the magnitude of the issue as a Chrome flaw was concerning, its reclassification makes it alarming. Why? Numerous revered projects rely on the libwebp library, making them unwitting participants in this potential security debacle. Some of the giants affected include 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and even the innate web browsers of Android devices.

The reclassification of CVE-2023-5129 as a critical vulnerability in libwebp is a significant development. The vulnerability affects a wide range of software and could have serious consequences for users. It is important to take steps to protect yourself from this vulnerability by updating your software and being careful about the images you open.

Update:

On September 27, CVE-2023-5129 has now been rejected or withdrawn by its CVE Numbering Authority due to a duplicate of CVE-2023-4863.