CVE-2023-4863
high
KEV
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
9.5
Description
Google Chromium WebP contains a heap-based buffer overflow vulnerability that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect applications that use the WebP Codec.
CISA KEV
- Vendor
- Product
- Chromium WebP
- Due date
- 2023-10-04
Predictions
Exploit likelihood
99%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | firefox-102.15.1-1.el8_8.alma.aarch64.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 117.0.5938.62-1 |
| sid | Fixed | 117.0.5938.62-1 |
| forky | Fixed | 117.0.5938.62-1 |
| bullseye | Fixed | 117.0.5938.62-1 |
| bookworm | Fixed | 117.0.5938.62-1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| crates.io | libwebp-sys | | |
| crates.io | libwebp-sys2 | | |
| crates.io | libwebp-sys2 | <0.1.8 | 0.1.8 |
| crates.io | libwebp-sys | <0.9.3 | 0.9.3 |
| npm | electron | >=22.0.0,<22.3.24 | 22.3.24 |
| npm | electron | >=24.0.0,<24.8.3 | 24.8.3 |
| npm | electron | >=25.0.0,<25.8.1 | 25.8.1 |
| npm | electron | >=26.0.0,<26.2.1 | 26.2.1 |
| npm | electron | >=27.0.0-beta.1,<27.0.0-beta.2 | 27.0.0-beta.2 |
| NuGet | SkiaSharp | >=2.0.0,<2.88.6 | 2.88.6 |
| Go | github.com/chai2010/webp | >=1.1.2,<1.4.0 | 1.4.0 |
| PyPI | pillow | <10.0.1 | 10.0.1 |
| crates.io | webp | <0.2.6 | 0.2.6 |
| NuGet | magick.net-q16-anycpu | <13.3.0 | 13.3.0 |
| NuGet | magick.net-q16-hdri-anycpu | <13.3.0 | 13.3.0 |
| NuGet | magick.net-q16-x64 | <13.3.0 | 13.3.0 |
| NuGet | magick.net-q8-anycpu | <13.3.0 | 13.3.0 |
| NuGet | magick.net-q8-openmp-x64 | <13.3.0 | 13.3.0 |
| NuGet | magick.net-q8-x64 | <13.3.0 | 13.3.0 |
| Go | github.com/chai2010/webp | <0.0.0-20250406010349-76805d5a8860 | 0.0.0-20250406010349-76805d5a8860 |
| Go | github.com/chai2010/webp | >=0.0.0,<1.1.2-0.20250406010349-76805d5a8860 | 1.1.2-0.20250406010349-76805d5a8860 |
| crates.io | libwebp-sys | >=0.0.0-0,<0.9.3 | 0.9.3 |
| crates.io | libwebp-sys2 | >=0.0.0-0,<0.1.8 | 0.1.8 |
References
- https://access.redhat.com/errata/RHSA-2023:5200
- https://access.redhat.com/errata/RHSA-2023:5214
- https://access.redhat.com/errata/RHSA-2023:5224
- https://nvd.nist.gov/vuln/detail/CVE-2023-4863
- https://github.com/qnighy/libwebp-sys2-rs/pull/21
- https://github.com/python-pillow/Pillow/pull/7395
- https://github.com/jaredforth/webp/pull/30
- https://github.com/electron/electron/pull/39823
- https://github.com/electron/electron/pull/39825
- https://github.com/electron/electron/pull/39826
- https://github.com/electron/electron/pull/39827
- https://github.com/electron/electron/pull/39828
- https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
- https://github.com/qnighy/libwebp-sys2-rs/commit/4560c473a76ec8bd8c650f19ddf9d7a44f719f8b
- https://github.com/jaredforth/webp/commit/9d4c56e63abecc777df71c702503c3eaabd7dcbc
- https://security.gentoo.org/glsa/202401-10
- https://security.gentoo.org/glsa/202309-05
- https://security-tracker.debian.org/tracker/CVE-2023-4863
- https://rustsec.org/advisories/RUSTSEC-2023-0061.html
- https://rustsec.org/advisories/RUSTSEC-2023-0060.html
- https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html#security
- https://news.ycombinator.com/item?id=37478403
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
- https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway
- https://security.netapp.com/advisory/ntap-20230929-0011
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.