CVE-2023-4863

What is libwebp?

libwebp is Google's open-source library for encoding and decoding images in the WebP format. WebP is a modern image format designed for the web that supports both lossless and lossy compression. It is embedded in Google Chrome, Mozilla Firefox, Apple Safari (via WebKit), Android's media framework, Signal, Telegram, Microsoft Teams, and hundreds of other applications — essentially any software that can display WebP images. Because WebP images are routinely served on the web and in messaging apps, vulnerabilities in libwebp have an exceptionally broad attack surface.

Overview

CVE-2023-4863 is a heap-based buffer overflow in libwebp's Huffman table decoding code that allows a remote attacker to achieve arbitrary code execution when a user views a crafted WebP image. It was disclosed by Google on September 11, 2023, as an actively exploited zero-day. The vulnerability affected not just Chrome but every application embedding libwebp — Firefox, Safari, Electron-based apps, and the Android OS. Apple Security Engineering and Citizen Lab reported the bug to Google, linking it to the same spyware exploit ecosystem responsible for other September 2023 zero-days.

Affected Versions

Technical Details

The vulnerability (CWE-787) resides in libwebp's BuildHuffmanTable() function. When building Huffman decoding tables for lossless WebP images, the function does not properly validate that it stays within the bounds of the allocated table array under certain conditions triggered by a crafted image. This results in a heap buffer overflow — writing attacker-controlled data beyond the end of a heap buffer.

By carefully crafting a WebP image that triggers the overflow with specific data, an attacker can:

1. Overwrite adjacent heap allocations to corrupt memory management metadata or function pointers.
2. Achieve controlled code execution within the process that renders the image.

In a browser context, this occurs within the sandboxed renderer process. Full device compromise then requires a sandbox escape (a separate vulnerability). The connection to the BLASTPASS exploit chain (CVE-2023-41993/41992) suggests that in at least some cases, CVE-2023-4863 was used as the initial code execution step in a multi-stage attack chain.

The NVD initially assigned CVE-2023-4863 to the Chrome instance only with CVSS 8.8, while assigning a separate entry (CVE-2023-5129, later rejected and merged) to the libwebp library itself with CVSS 10.0 CRITICAL. This confusion arose because the underlying library vulnerability affects many more products than just Chrome.

Discovery

Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at the University of Toronto discovered CVE-2023-4863 and reported it to Google. The discovery context — Citizen Lab's focus on spyware targeting — strongly suggests the vulnerability was observed being actively exploited against a targeted individual before the report.

Exploitation Context

Google's Threat Analysis Group confirmed active in-the-wild exploitation at time of disclosure. The CVE was linked to the broader September 2023 commercial spyware exploitation wave alongside CVE-2023-5217 (libvpx) and the BLASTPASS Apple chain (CVE-2023-41991/41992/41993). The breadth of affected software — Chrome, Firefox, Safari, Android, and Electron apps — made this one of the most widely-impacting media library vulnerabilities in recent years.

CISA added it to the KEV catalog two days after the Chrome patch, on September 13, 2023.

Remediation

1. Update Chrome to 116.0.5845.187 or later via automatic update or Settings → About Chrome.
2. Update Firefox to 117.0.1 (or ESR 102.15.1) from Mozilla's website.
3. Update all Electron-based applications — Slack, Discord, VS Code, Signal Desktop, Obsidian, and many others embed Chromium with libwebp; check each app for updates separately.
4. Update libwebp system package to 1.3.2 or later on Linux systems (available through package managers: apt, yum, dnf, pacman).
5. Apply Android September/October 2023 security updates — Android's media subsystem uses libwebp.
6. Audit container images — base images built before October 2023 may contain the vulnerable libwebp; rebuild with updated base images.
7. Update Microsoft Teams, Zoom, and other communication platforms — many use Electron or embed Chromium and required separate updates.