Google’s Revelation: Chrome’s Zero-Day Vulnerability Traced to libwebp (CVE-2023-5129)
Google’s Revelation: Chrome’s Zero-Day Vulnerability Traced to libwebp (CVE-2023-5129)

Image: Christian Wiediger (unsplash)

A few weeks back, Google patched an exploited Chrome zero-day. It now emerges with a new identity: CVE-2023-5129. The twist in the story is that the vulnerability isn’t within Chrome. Instead, it lies in the libwebp library, a tool many popular applications employ for encoding and decoding the WebP image format.

Delving Into CVE-2023-5129: The vulnerability arises from an erroneous implementation of the Huffman coding algorithm. This flaw has the potential to enable attackers to cause a heap buffer overflow and execute any desired code.

The versions of libwebp that this vulnerability affects range from 0.5.0 to 1.3.1. Fortunately, the issue has been resolved in version 1.3.2. Its severity has been rated with a “perfect” CVSS score of 10.0, signaling its critical nature.

Earlier on, researchers at Rezilion had hypothesized that CVE-2023-41064, a buffer overflow vulnerability recently addressed by Apple, and CVE-2023-4863, the mentioned Chrome zero-day, might be identical in nature. Their assumptions proved accurate, leading to the identification of CVE-2023-5129.

The Current Landscape: Experts Ofri Ouzan and Yotam Perkal from Rezilion highlighted that the libwebp library is embedded in:

  • Widely used container images, having billions of deployments (examples include drupal, ngnix, perl, python, ruby, rust, and wordpress).
  • Several utilities relying on libwebp.
  • Leading web browsers like Chrome, Firefox, Microsoft Edge, Opera, and so on.
  • Numerous Linux distributions such as Debian, Ubuntu, Alpine, Gentoo, and SUSE.
  • The Electron framework, which serves as a foundation for many cross-platform desktop applications.
  • A host of other applications ranging from Microsoft Teams, Slack, and Discord to LibreOffice, 1Password, Telegram, and Signal Desktop.

While some applications have integrated the patches for this vulnerability, others are still in the process. It’s anticipated that comprehensive fixes will be rolled out shortly.

Users are encouraged to adhere to a frequently given piece of advice: Make it a habit to update your operating systems and software regularly.

For enterprise setups equipped with vulnerability scanners, there’s a silver lining. They can now autonomously detect this vulnerability and initiate remediation across their infrastructure.

Additionally, Tom Sellers, the leading research engineer at runZero, has provided a shell command. MacOS users can employ this command to determine the Electron version their apps rely on, noting that versions 22.3.24, 24.8.3, 25.8.1, 26.2.1, and 27.0.0-beta.2 have integrated the patch.