Blog
Threat Intelligence: Critical Maximum-Rating Vulnerability in the libwebp Library
Posted: September 9, 2023
This alert is about a very serious vulnerability—identified as CVE-2023-5129—that could be hiding all over your clients’ environments. In fact, CVE-2023-5129 is so serious that Google has stamped it with their highest severity rating: a solid 10/10.
CVE-2023-5129 was initially classified as a Chrome issue. But we now realize that it pertains much more broadly to any software that utilizes the libwebp open-source library.
Here’s the technical gist: This flaw revolves around a heap buffer overflow in WebP, related to the Huffman coding algorithm used by libwebp for lossless compression. So malicious actors can potentially take advantage of this vulnerability to execute unauthorized commands or access sensitive data by using maliciously crafted pages.
The real problem, however, is that a lot of software uses the libwebp library. So we’re looking at a vast landscape of potential vulnerabilities that includes 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, native Android web browsers, and more.
Remediating this vulnerability therefore requires you to pinpoint every piece of software in your clients’ environments (and your own) that integrates the libwebp library.
This will be a huge undertaking. And it underscores the critical importance of maintaining a complete, accurate, and up-to-date software inventory. So we need to act fast and remediate thoroughly.
We can discuss CVE-2023-5129 further during office hours, coaching calls, and on the forum. But we need to get on this right away.
Stay tuned for new developments as this situation continues to quickly unfold.