CVE-2023-5129

Name of the Vulnerable Software and Affected Versions libwebp versions 0.5.0 through 1.3.1

Description A critical vulnerability has been identified in the libwebp image library, which can be exploited by a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. The vulnerability is caused by a heap buffer overflow in the libwebp library, allowing attackers to execute arbitrary code on the system. The vulnerability has been given a maximum CVSS score of 10.0, indicating its high severity. It is estimated that millions of applications are affected by this vulnerability, including major web browsers and other popular software. The vulnerability has been exploited in the wild, and patches are being rolled out for affected applications.

Recommendations To resolve the issue, update libwebp to version 1.3.2 or later, which includes a patch for the "OOB write in BuildHuffmanTable" vulnerability. As a temporary workaround, consider restricting access to the vulnerable libwebp library until a patch is available. Avoid using the ReadHuffmanCodes() function and the BuildHuffmanTable() function until the issue is resolved. Additionally, be cautious when handling WebP lossless files, as they can be used to exploit the vulnerability.