Google has reclassified a previously identified security vulnerability in its Chrome browser, now assigning a new CVE ID (CVE-2023-5129) to the flaw in the open-source libwebp library. This library is used to encode and decode images in WebP format. The vulnerability was initially disclosed as a Chrome weakness, tracked as CVE-2023-4863.
The zero-day vulnerability was reported by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School on September 6, and Google patched it less than a week later. Citizen Lab has a history of revealing zero-days that have been used in targeted spyware campaigns, often linked to state-sponsored threat actors targeting high-risk individuals such as journalists and opposition politicians.
Google's initial decision to label the vulnerability as a Chrome bug rather than a libwebp flaw caused some confusion in the cybersecurity community. Ben Hawkes, founder of a security consulting firm and former leader of Google's Project Zero team, linked CVE-2023-4863 to another vulnerability (CVE-2023-41064) that was addressed by Apple and exploited as part of a zero-click iMessage exploit chain (known as BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus commercial spyware.
However, Google has now assigned a new CVE ID, CVE-2023-5129, to the vulnerability in libwebp, rating it as a critical issue with a maximum 10/10 severity rating. This reclassification has implications for other projects that use the libwebp open-source library. The vulnerability, now officially recognized as a libwebp flaw, involves a heap buffer overflow in WebP that impacts Google Chrome versions preceding 116.0.5845.187.
The vulnerability lies within the Huffman coding algorithm used by libwebp for lossless compression, enabling attackers to execute out-of-bounds memory writes using maliciously crafted HTML pages. This type of exploit can lead to serious consequences, including crashes, arbitrary code execution, and unauthorized access to sensitive information.
The reclassification of CVE-2023-5129 as a libwebp vulnerability is significant because it was initially overlooked as a potential security threat for many projects using libwebp. These include 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers. The revised critical rating highlights the need to quickly address the security vulnerability (now tracked under multiple CVE IDs with different severity ratings) across these platforms to protect users' data. Google did not provide a comment when contacted.