Google Chromium WebP Heap-Based Buffer Overflow Vulnerability

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-4863
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-09-12 15:15:00 UTC
Updated2024-01-07 11:15:00 UTC
DescriptionHeap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Risk And Classification

EPSS: 0.941170000 probability, percentile 0.999090000 (date 2026-04-01)

CISA KEV: Listed on 2023-09-13; due 2023-10-04; ransomware use Unknown

Problem Types: CWE-787

CISA Known Exploited Vulnerability

VendorGoogle
ProductChromium WebP
NameGoogle Chromium WebP Heap-Based Buffer Overflow Vulnerability
Required ActionApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Noteshttps://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html?m=1; https://nvd.nist.gov/vuln/detail/CVE-2023-4863

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 11.0 All All All
Operating System Debian Debian Linux 12.0 All All All
Operating System Fedoraproject Fedora 37 All All All
Operating System Fedoraproject Fedora 38 All All All
Operating System Fedoraproject Fedora 39 All All All
Application Google Chrome All All All All
Application Microsoft Edge All All All All
Application Mozilla Firefox All All All All
Application Mozilla Firefox Esr All All All All
Application Mozilla Thunderbird All All All All
Application Webmproject Libwebp All All All All

References

ReferenceSourceLinkTags
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
1215231 – (CVE-2023-4863) VUL-0: CVE-2023-4863: libwebp,MozillaFirefox,MozillaThunderbird,chromium,ungoogled-chromium: Heap buffer overflow in WebP MISC bugzilla.suse.com
Whose CVE Is It Anyway? - Adam Caudill MISC adamcaudill.com Third Party Advisory
Critical WebP bug: many apps, not just browsers, under threat MISC stackdiary.com
1479274 - chromium - An open-source project to help move the web forward. - Monorail MISC crbug.com
Debian -- Security Information -- DSA-5497-1 libwebp MISC www.debian.org Third Party Advisory
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
[SECURITY] Fedora 38 Update: chromium-117.0.5938.62-1.fc38 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org Mailing List, Third Party Advisory
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
[SECURITY] [DLA 3569-1] thunderbird security update MISC lists.debian.org Mailing List, Third Party Advisory
Google fixes another Chrome zero-day bug exploited in attacks MISC www.bleepingcomputer.com
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
security.gentoo.org/glsa/202401-10 security.gentoo.org
[SECURITY] [DLA 3568-1] firefox-esr security update MISC lists.debian.org Mailing List, Third Party Advisory
Debian -- Security Information -- DSA-5496-1 firefox-esr MISC www.debian.org Third Party Advisory
Release v1.3.2: libwebp-1.3.2 · webmproject/libwebp · GitHub MISC github.com Release Notes
Chrome: Heap buffer overflow in WebP | Hacker News MISC news.ycombinator.com
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
[SECURITY] Fedora 37 Update: libwebp-1.3.1-3.fc37 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org Mailing List, Third Party Advisory
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
Fix OOB write in BuildHuffmanTable. · webmproject/libwebp@902bc91 · GitHub MISC github.com
CVE-2023-4863 Libwebp Vulnerability in NetApp Products | NetApp Product Security MISC security.netapp.com
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
CVE-2023-4863 MISC security-tracker.debian.org
Security Vulnerability fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 — Mozilla MISC www.mozilla.org
Patching the libwebp vulnerability across the Python ecosystem MISC sethmlarson.dev
[SECURITY] Fedora 38 Update: libwebp-1.3.1-3.fc38 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org Mailing List, Third Party Advisory
The WebP 0day MISC blog.isosceles.com
[SECURITY] Fedora 39 Update: libwebp-1.3.1-3.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org Mailing List, Third Party Advisory
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
oss-security - CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
Honeyview - Version history, Changelog MISC en.bandisoft.com
oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec MISC www.openwall.com
Security Update Guide - Microsoft Security Response Center MISC msrc.microsoft.com
[SECURITY] [DLA 3570-1] libwebp security update MISC lists.debian.org Mailing List, Third Party Advisory
403 Forbidden MISC www.bentley.com
[SECURITY] Fedora 37 Update: chromium-117.0.5938.88-1.fc37 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
[SECURITY] Fedora 39 Update: firefox-117.0.1-2.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org Mailing List, Third Party Advisory
WebP: Multiple vulnerabilities (GLSA 202309-05) — Gentoo security MISC security.gentoo.org Third Party Advisory
Debian -- Security Information -- DSA-5498-1 thunderbird MISC www.debian.org Third Party Advisory
[SECURITY] Fedora 39 Update: chromium-117.0.5938.132-2.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
Chrome Releases: Stable Channel Update for Desktop MISC chromereleases.googleblog.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
CISA Known Exploited Vulnerabilities catalog CISA www.cisa.gov kev

Legacy QID Mappings

  • 160919 Oracle Enterprise Linux Security Update for firefox (ELSA-2023-5184)
  • 160920 Oracle Enterprise Linux Security Update for firefox (ELSA-2023-5197)
  • 160922 Oracle Enterprise Linux Security Update for firefox (ELSA-2023-5200)
  • 160923 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-5191)
  • 160925 Oracle Enterprise Linux Security Update for libwebp (ELSA-2023-5214)
  • 160926 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-5224)
  • 160928 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-5201)
  • 160931 Oracle Enterprise Linux Security Update for libwebp (ELSA-2023-5309)
  • 199748 Ubuntu Security Notification for Firefox Vulnerability (USN-6367-1)
  • 199749 Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-6368-1)
  • 199753 Ubuntu Security Notification for libwebp Vulnerability (USN-6369-1)
  • 199790 Ubuntu Security Notification for libwebp Vulnerability (USN-6369-2)
  • 242035 Red Hat Update for libwebp (RHSA-2023:5190)
  • 242036 Red Hat Update for firefox (RHSA-2023:5205)
  • 242037 Red Hat Update for firefox (RHSA-2023:5183)
  • 242038 Red Hat Update for thunderbird (RHSA-2023:5202)
  • 242039 Red Hat Update for thunderbird (RHSA-2023:5188)
  • 242042 Red Hat Update for firefox (RHSA-2023:5198)
  • 242043 Red Hat Update for thunderbird (RHSA-2023:5185)
  • 242044 Red Hat Update for firefox (RHSA-2023:5200)
  • 242046 Red Hat Update for libwebp (RHSA-2023:5189)
  • 242047 Red Hat Update for firefox (RHSA-2023:5192)
  • 242048 Red Hat Update for firefox (RHSA-2023:5197)
  • 242049 Red Hat Update for libwebp (RHSA-2023:5204)
  • 242051 Red Hat Update for thunderbird (RHSA-2023:5201)
  • 242052 Red Hat Update for thunderbird (RHSA-2023:5191)
  • 242053 Red Hat Update for thunderbird (RHSA-2023:5186)
  • 242054 Red Hat Update for firefox (RHSA-2023:5184)
  • 242055 Red Hat Update for firefox (RHSA-2023:5187)
  • 242057 Red Hat Update for thunderbird (RHSA-2023:5223)
  • 242059 Red Hat Update for thunderbird (RHSA-2023:5224)
  • 242061 Red Hat Update for libwebp (RHSA-2023:5214)
  • 242072 Red Hat Update for libwebp: Critical (RHSA-2023:5236)
  • 242079 Red Hat Update for libwebp (RHSA-2023:5309)
  • 242125 Red Hat Update for libwebp (RHSA-2023:5222)
  • 284510 Fedora Security Update for libwebp (FEDORA-2023-c4fa8a204d)
  • 284515 Fedora Security Update for libwebp (FEDORA-2023-3388038193)
  • 284523 Fedora Security Update for chromium (FEDORA-2023-3bfb63f6d2)
  • 284530 Fedora Security Update for chromium (FEDORA-2023-b427f54e68)
  • 285232 Fedora Security Update for chromium (FEDORA-2023-c890266d3f)
  • 285255 Fedora Security Update for firefox (FEDORA-2023-6bdc468df7)
  • 285260 Fedora Security Update for libwebp (FEDORA-2023-f8319bd876)
  • 296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
  • 296107 Oracle Solaris 11.4 Support Repository Update (SRU) 65.157.1 Missing (CPUJAN2024)
  • 356378 Amazon Linux Security Advisory for libwebp : ALAS2023-2023-355
  • 356381 Amazon Linux Security Advisory for libwebp : ALAS2023-2023-358
  • 356426 Amazon Linux Security Advisory for libwebp12 : ALAS2-2023-2290
  • 356442 Amazon Linux Security Advisory for thunderbird : ALAS2-2023-2291
  • 356602 Amazon Linux Security Advisory for firefox : ALAS2FIREFOX-2023-015
  • 356734 Amazon Linux Security Advisory for qt5-qtimageformats : ALAS2-2023-2337
  • 378893 Alibaba Cloud Linux Security Update for libwebp (ALINUX3-SA-2023:0115)
  • 378941 Microsoft Teams Heap Buffer Overflow Vulnerability for Sep 2023
  • 379055 Opera Browser 102.0.4880.51 Stable Update
  • 379057 Vivaldi Desktop Browser 6.2 Update
  • 379059 Brave Browser v1.57.64 (Chromium 116.0.5845.188) Update
  • 503311 Alpine Linux Security Update for libwebp
  • 503312 Alpine Linux Security Update for libwebp
  • 503313 Alpine Linux Security Update for libwebp
  • 503314 Alpine Linux Security Update for libwebp
  • 503315 Alpine Linux Security Update for qt5-qtimageformats
  • 503461 Alpine Linux Security Update for firefox-esr
  • 505723 Alpine Linux Security Update for chromium
  • 505890 Alpine Linux Security Update for libwebp
  • 506069 Alpine Linux Security Update for firefox-esr
  • 506184 Alpine Linux Security Update for qt5-qtimageformats
  • 506201 Alpine Linux Security Update for qt5-qtwebengine
  • 6000011 Debian Security Update for firefox-esr (DLA 3568-1)
  • 6000012 Debian Security Update for thunderbird (DLA 3569-1)
  • 6000013 Debian Security Update for libwebp (DLA 3570-1)
  • 6000175 Debian Security Update for libwebp (DSA 5497-2)
  • 6000184 Debian Security Update for thunderbird (DSA 5498-1)
  • 6000205 Debian Security Update for firefox-esr (DSA 5496-1)
  • 6000230 Debian Security Update for libwebp (DSA 5497-1)
  • 610513 Google Android Devices October 2023 Security Patch Missing
  • 610519 Google Android November 2023 Security Patch Missing for Samsung
  • 610520 Google Android November 2023 Security Patch Missing for Huawei EMUI
  • 673445 EulerOS Security Update for libwebp (EulerOS-SA-2023-3276)
  • 673462 EulerOS Security Update for libwebp (EulerOS-SA-2023-3309)
  • 673537 EulerOS Security Update for libwebp (EulerOS-SA-2023-3186)
  • 673835 EulerOS Security Update for libwebp (EulerOS-SA-2023-3248)
  • 673866 EulerOS Security Update for libwebp (EulerOS-SA-2024-1149)
  • 673882 EulerOS Security Update for libwebp (EulerOS-SA-2024-1280)
  • 673928 EulerOS Security Update for libwebp (EulerOS-SA-2023-3341)
  • 674031 EulerOS Security Update for libwebp (EulerOS-SA-2023-3221)
  • 691303 Free Berkeley Software Distribution (FreeBSD) Security Update for libwebp heap buffer overflow (58a738d4-57af-11ee-8c58-b42e991fc52e)
  • 691304 Free Berkeley Software Distribution (FreeBSD) Security Update for graphics/webp heap buffer overflow (4fd7a2fc-5860-11ee-a1b3-dca632daf43b)
  • 710750 Gentoo Linux WebP Multiple Vulnerabilities (GLSA 202309-05)
  • 710830 Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202401-10)
  • 754836 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:3610-1)
  • 754837 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:3609-1)
  • 754843 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:3626-1)
  • 754850 SUSE Enterprise Linux Security Update for libwebp (SUSE-SU-2023:3634-1)
  • 754862 SUSE Enterprise Linux Security Update for MozillaThunderbird (SUSE-SU-2023:3664-1)
  • 754932 SUSE Enterprise Linux Security Update for libwebp (SUSE-SU-2023:3794-1)
  • 754961 SUSE Enterprise Linux Security Update for libwebp (SUSE-SU-2023:3829-1)
  • 907357 Common Base Linux Mariner (CBL-Mariner) Security Update for libwebp (29758-1)
  • 941259 AlmaLinux Security Update for libwebp (ALSA-2023:5309)
  • 941263 AlmaLinux Security Update for firefox (ALSA-2023:5184)
  • 941265 AlmaLinux Security Update for thunderbird (ALSA-2023:5201)
  • 941267 AlmaLinux Security Update for libwebp (ALSA-2023:5214)
  • 941268 AlmaLinux Security Update for firefox (ALSA-2023:5200)
  • 941269 AlmaLinux Security Update for thunderbird (ALSA-2023:5224)
  • 961016 Rocky Linux Security Update for firefox (RLSA-2023:5184)
  • 961020 Rocky Linux Security Update for libwebp (RLSA-2023:5309)
  • 961034 Rocky Linux Security Update for libwebp (RLSA-2023:5214)
  • 961036 Rocky Linux Security Update for thunderbird (RLSA-2023:5201)
  • 995285 Rust (Rust) Security Update for libwebp-sys2 (GHSA-j7hp-h8jx-5ppr)
  • 995301 NodeJs (Npm) Security Update for electron (GHSA-j7hp-h8jx-5ppr)
  • 995331 GO (Go) Security Update for github.com/chai2010/webp (GHSA-j7hp-h8jx-5ppr)
  • 995350 DotNet (Nuget) Security Update for SkiaSharp (GHSA-j7hp-h8jx-5ppr)
  • 995498 Python (Pip) Security Update for Pillow (GHSA-j7hp-h8jx-5ppr)
  • 995522 Python (Pip) Security Update for pillow (GHSA-56pw-mpj4-fxww)
  • 995523 Python (Pip) Security Update for imagecodecs (GHSA-94vc-p8w7-5p49)
  • 995537 DotNet (Nuget) Security Update for ImageResizer.Plugins.FreeImage (GHSA-wqcr-xm43-hpqr)
  • 995538 Python (Pip) Security Update for webp (GHSA-f9pm-4g9p-6vm3)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report