CVE-2023-4863
Published: 12 September 2023
Summary
CVE-2023-4863 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
The vulnerability CVE-2023-4863 is a heap buffer overflow in the libwebp library, present in Google Chrome versions prior to 116.0.5845.187 and in libwebp releases before 1.3.2. It is tracked as CWE-787 and rated critical with a CVSS 3.1 score of 8.8, reflecting network attack vector, low complexity, and no required privileges.
An unauthenticated remote attacker can exploit the flaw by delivering a crafted HTML page that triggers an out-of-bounds memory write during WebP image processing. Successful exploitation can result in arbitrary code execution or full compromise of the confidentiality, integrity, and availability of the target system.
References on the OpenWall OSS-security mailing lists document the issue and point to the availability of fixes in the noted Chrome and libwebp releases. The associated EPSS score stands at a current value of 0.9330 with a recorded peak of 0.9412.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2533
Vulnerability details
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
- CWE(s)
- KEV Date Added
- 13 September 2023
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in libwebp enables remote code execution via crafted WebP images processed automatically in browsers (e.g., via HTML pages for drive-by compromise and client exploitation) or attachments (e.g., spearphishing as in BLASTPASS/Pegasus).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification and remediation of software flaws such as the libwebp heap overflow by installing the vendor patches (Chrome 116.0.5845.187+, libwebp 1.3.2+).
Employs memory-protection techniques (DEP, ASLR, guard pages) that can block successful exploitation of the out-of-bounds write even if the vulnerable code path is reached.
Enforces least functionality by disabling or sandboxing unnecessary image codecs or WebP processing, thereby reducing the attack surface for crafted WebP content.