Critical CVIS 10-rated Zero-day Webp vulnerability wildly exploited. Reassigned to CVE-2023-5129.

Google’s libwebp based zero-day vulnerability is now reassigned to CVE 2023-5129. It is wildly exploited. Attackers are using webp images to transmit malicious codes to extract sensitive information from their victims. 
Google released a security fix for a critical vulnerability that affected Google Chrome for Windows, macOS, and Linux. The vulnerability was given the CVE ID as CVE-2023-4863 and has been given a severity of 8.8 (High). On analyzing the vulnerability, it was discovered that a heap buffer overflow vulnerability existed in the libwebp library that a threat actor can exploit to perform out-of-bounds memory write via a crafted HTML page. However, this vulnerability was resubmitted by Google, which is now tracked as CVE-2023-5129. It was later found that CVE-2023-41064 and this vulnerability were similar and affected the same libwebp library. Threat actors exploited this particular library during the BLASTPASS exploit chain attack for deploying the NSO’s Pegasus Spyware. Though both of these vulnerabilities had different CVE IDs and were released by different vendors, they both affect the same library.

03 Oct 2023

Zero-day Webp vulnerability
Webp vulnerability

Creating portfolio made simple for

Trusted by 30200+ Generalists. Try it now, free to use

Start making more money