CVE-2023-4863: Heap buffer overflow in WebP
Published Sep 6, 2023
·Updated
Chromium: CVE-2023-4863 Heap buffer overflow in WebP
Credit
Apple Security Engineering(Toronto), Architecture (SEAR)(Toronto), The Citizen Lab at The University(Toronto)
Affected Software
64 affected componentsFixes available
Microsoft VP9 Video Extensions
Google Chromium WebP
Microsoft Edge (Chromium-based)
Microsoft Teams for Desktop
Microsoft Teams for Mac
Microsoft WebP Image Extension
Microsoft Skype
Google Chrome<116.0.5845.187
116.0.5845.187
Google Chrome<116.0.5845.187
Fedoraproject Fedora=37
Fedoraproject Fedora=38
Fedoraproject Fedora=39
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Debian Debian Linux=12.0
Mozilla Firefox<117.0.1
Mozilla Firefox ESR<102.15.1
Mozilla Firefox ESR>=115.0<115.2.1
Mozilla Thunderbird<102.15.1
Mozilla Thunderbird>=115.0<115.2.2
Microsoft Edge<117.0.2045.31
webmproject Libwebp<1.3.2
Mozilla Firefox<117.0.1
117.0.1
Mozilla Firefox ESR<102.15.1
102.15.1
Mozilla Firefox ESR<115.2.1
115.2.1
Mozilla Thunderbird<102.15.1
102.15.1
Mozilla Thunderbird<115.2.2
115.2.2
go/github.com/chai2010/webp>=0.0.0<1.1.2-0.20250406010349-76805d5a8860
1.1.2-0.20250406010349-76805d5a8860
go/github.com/chai2010/webp>=1.1.2<1.4.0
1.4.0
go/github.com/chai2010/webp<0.0.0-20250406010349-76805d5a8860
0.0.0-20250406010349-76805d5a8860
nuget/magick.net-q8-x64<13.3.0
13.3.0
nuget/magick.net-q8-openmp-x64<13.3.0
13.3.0
nuget/magick.net-q8-anycpu<13.3.0
13.3.0
nuget/magick.net-q16-x64<13.3.0
13.3.0
nuget/magick.net-q16-hdri-anycpu<13.3.0
13.3.0
nuget/magick.net-q16-anycpu<13.3.0
13.3.0
rust/webp<0.2.6
0.2.6
pip/Pillow<10.0.1
10.0.1
nuget/SkiaSharp>=2.0.0<2.88.6
2.88.6
npm/electron>=27.0.0-beta.1<27.0.0-beta.2
27.0.0-beta.2
npm/electron>=26.0.0<26.2.1
26.2.1
npm/electron>=25.0.0<25.8.1
25.8.1
npm/electron>=24.0.0<24.8.3
24.8.3
npm/electron>=22.0.0<22.3.24
22.3.24
rust/libwebp-sys<0.9.3
0.9.3
rust/libwebp-sys2<0.1.8
0.1.8
Mozilla Firefox<102.15.1
Mozilla Firefox<117.0.1
Mozilla Firefox>=115.1.0<115.2.1
Microsoft Edge Chromium<116.0.1938.81
Microsoft Teams Macos<1.6.00.26463
Microsoft Teams<1.6.00.26474
Microsoft WebP Image Extension<1.0.62681.0
NetApp Active Iq Unified Manager Vmware Vsphere
Bentley Seequent Leapfrog<2023.2
Bandisoft Honeyview<5.51
Microsoft Edge<117.0.2045.31
Microsoft Teams for Mac, Classic Edition
Google Android
debian/chromium
120.0.6099.224-1~deb11u1147.0.7727.137-1~deb12u1148.0.7778.178-1~deb12u1147.0.7727.137-1~deb13u1148.0.7778.178-1~deb13u1148.0.7778.178-1
debian/firefox
151.0.1-1
debian/firefox-esr
115.14.0esr-1~deb11u1140.11.0esr-1~deb11u1140.10.2esr-1~deb12u1140.11.0esr-1~deb12u1140.10.2esr-1~deb13u1140.11.0esr-1~deb13u1140.11.0esr-1
debian/libwebp
0.6.1-2.1+deb11u21.2.4-0.2+deb12u11.5.0-0.1
debian/thunderbird
1:115.12.0-1~deb11u11:140.11.0esr-1~deb11u11:140.10.1esr-1~deb12u11:140.11.0esr-1~deb12u11:140.10.1esr-1~deb13u11:140.11.0esr-1~deb13u11:140.11.0esr-1
Remediation
Information
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Event History
Sep 6, 2023
CVE Published
12:00 AM
Known Exploited
12:00 AM
Sep 11, 2023
News Published
via BleepingComputer·07:46 PM
Data Sourced
via Red Hat·08:34 PM
DescriptionSeverityAffected Software
Sep 12, 2023
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·07:00 AM
DescriptionAffected Software
CVE Published
via MITRE·02:24 PM
Data Sourced
via MITRE·02:24 PM
DescriptionWeakness
Data Sourced
via NVD·03:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·03:30 PM
Data Sourced
via GitHub·03:30 PM
DescriptionSeverityWeaknessAffected Software
Oct 2, 2023
Data Sourced
via Android·12:00 AM
SeverityWeaknessAffected Software
Nov 28, 2023
News Published
09:24 PM
Dec 4, 2023
News Published
07:37 PM
Dec 20, 2023
News Published
09:41 PM
Jan 12, 2024
Data Sourced
via Launchpad·12:26 AM
Description
Jan 16, 2024
News Published
via BleepingComputer·07:13 PM
Jan 20, 2024
News Published
via BleepingComputer·07:14 PM
Mar 27, 2024
News Published
via The Register·02:00 PM
News Published
via The Register·02:04 PM
Sep 16, 2024
Data Sourced
via Ubuntu·02:43 AM
RemedyDescriptionSeverityAffected Software
May 25, 2026
Data Sourced
via Debian·10:40 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is CVE-2023-4863?
CVE-2023-4863 is a vulnerability in Google Chromium WebP that allows a remote attacker to perform an out-of-bounds memory write.
2
Which software is affected by CVE-2023-4863?
Microsoft Edge (Chromium-based), Google Chromium WebP, Microsoft Edge, Mozilla Firefox, Mozilla Firefox ESR, Mozilla Thunderbird, and libwebp are affected by CVE-2023-4863.
3
What is the severity of CVE-2023-4863?
CVE-2023-4863 has a severity rating of critical (8.8).
4
How can I fix the CVE-2023-4863 vulnerability?
To fix the CVE-2023-4863 vulnerability, update your software to the latest version provided by the respective vendors or apply the available patches.
5
Where can I find more information about CVE-2023-4863?
You can find more information about CVE-2023-4863 on the Microsoft Security Response Center (MSRC) website, Google Chrome Releases blog, and Bugzilla Mozilla website.