Reported

September 12, 2023

Issued

September 13, 2023 (last modified: February 10, 2024)

Package

libwebp-sys (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Keywords

#webp

Aliases

• CVE-2023-4863
• CVE-2023-5129
• GHSA-j7hp-h8jx-5ppr

Patched

• >=0.9.3

Description

Google and Mozilla have released security advisories for RCE due to heap overflow in libwebp. Google warns the vulnerability has been exploited in the wild.

libwebp needs to be updated to 1.3.2 to include a patch for "OOB write in BuildHuffmanTable".

Advisory available under CC0-1.0 license.