Google has quietly resubmitted a disclosure of a critical code execution vulnerability affecting thousands of individual apps and software frameworks, after its previous report gave readers the false impression that the threat only affected the Chrome browser.
The vulnerability originated in the libwebp code library that Google created in 2010 to render images in WebP, a then-new format that resulted in files that were up to 26 percent smaller compared to PNG images. Libwebp is integrated into almost every app, operating system, or other code library that renders WebP images, most notably the Electron framework used in Chrome and many other apps running on both desktop and mobile devices.
Two weeks ago, Google issued a security advisory regarding an alleged heap buffer overflow in WebP in Chrome. Google’s formal description, tracked as CVE-2023-4863, classified the affected vendor as “Google” and the affected software as “Chrome,” although any code that used libwebp was vulnerable. Critics warned that Google’s failure to note that thousands of other pieces of code were also vulnerable would lead to unnecessary delays in fixing the vulnerability, allowing attackers to execute malicious code when users do nothing other than boobytrap it View WebP image.
On Monday, Google filed a new disclosure, tracked as CVE-2023-5129. The new entry correctly lists libwebp as the affected vendor and affected software. Additionally, the vulnerability severity rating is increased from 10 to 10, up from 8.8.
The lack of completeness in the first CVE assigned by Google goes far beyond mere academic failure. More than two weeks after the vulnerability became known, a large number of software programs are still unpatched. The most glaring example is Microsoft Teams.
The vulnerability description in Google’s new post provides much more detailed information. The description in the old submission read:
A heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. (Chromium Security Severity: Critical)
The new description is:
With a specially crafted lossless WebP file, libwebp may write out-of-range data to the heap. The ReadHuffmanCodes() function assigns a size to the HuffmanCode buffer that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only considers sizes for first-level 8-bit table lookups, but not for second-level table lookups. libwebp allows codes with up to 15 bits (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to populate the second level tables, it may write data out of range. The OOB write to the undersized array occurs in ReplicateValue.
Regardless of whether it is listed as CVE-2023-4863 or CVE-2023-5129, the libwebp vulnerability is severe. Before using apps, users should ensure that the Electron versions they are using are v22.3.24, v24.8.3 or v25.8.1.