Google “confirms” that exploited Chrome zero-day is actually in libwebp (CVE-2023-5129)

UPDATE (September 28, 2023, 03:15 a.m. ET):

The CVE-2023-5129 ID has been either rejected or withdrawn by the CVE Numbering Authority (Google), since it’s a duplicate of CVE-2023-4863. The entry for the latter has been broadened to include its impact to the libwebp library.

The Chrome zero-day exploited in the wild and patched by Google a few weeks ago has a new ID (CVE-2023-5129) and a description that tells the whole story: the vulnerability is not in Chrome, but the libwebp library, which is used by many popular applications for encoding/decoding the WebP image format.

About CVE-2023-5129

The source of the vulnerability is a flawed implementation of the Huffman coding algorithm, which may allow attackers to trigger a heap buffer overflow and to execute arbitrary code.

CVE-2023-5129 affects libwebp versions 0.5.0 to 1.3.1, and has been fixed in version 1.3.2. It has received a “perfect” CVSS score (10.0), which means it’s as critical as it can possibly be.

Rezilion researchers have previously posited that CVE-2023-41064, a buffer overflow vulnerability in the ImageI/O framework recently fixed by Apple and exploited to deliver NSO Group’s Pegasus spyware, and CVE-2023-4863, the aforementioned Chrome zero-day, are effectively the same flaw.

As it turns out, they were right – hence: CVE-2023-5129.

What now?

Rezilion’s Ofri Ouzan and Yotam Perkal pointed out that the libwebp library can be found in:

• Popular container images, “collectively downloaded and deployed billions of times” (e.g., drupal, ngnix, perl, python, ruby, rust, wordpress)
• A variety of utilities that depend on libwebp
• The most popular web browers (Chrome, Firefox, Microsoft Edge, Opera, etc.
• Many Linux distributions (Debian, Ubuntu, Alpine, Gentoo, SUSE, etc.)
• The Electron framework, on which many cross-platform desktop applications are based
• A slew of other applications (including Microsoft Teams, Slack, Discord, LibreOffice, 1Password, Telegram, Signal Desktop, etc.)

Some of these have already incorporated patched for the vulnerability, and some have yet to do it. Hopefully, the rest of the fixes will soon be pushed out.

Consumers should take to heart and implement that often repeated advice: Regularly update your operating system(s) and software.

The good news for enterprises using vulnerability scanners is that they will finally be able to automatically detect and proceed to remediate the vulnerability across their systems.

Tom Sellers, principal research engineer at runZero, has also shared a shell command users can run on macOS to see which of their apps are based on which Electron version (versions 22.3.24, 24.8.3, 25.8.1, 26.2.1 and 27.0.0-beta.2 have the patch).

Threat hunter Michael Taggart has compiled and is updating a list of apps based on Electron, pointing out the version in use.