Use after free in libwebp
CVE-2023-1999

7.5HIGH

Key Information:

Vendor: Chromium
Status: Libwebp
Vendor: CVE Published:; 20 June 2023

What is CVE-2023-1999?

A vulnerability exists in libwebp due to improper memory management, specifically a use after free and double free condition. This occurs within the ApplyFiltersAndEncode() function where the best.bw pointer is released in a loop, subsequently leading to an incorrect reassignment. On a second iteration, an out-of-memory error in the VP8 encoder triggers an attempt to free the memory that has already been released, risking exploitation. Attackers can exploit this flaw to potentially execute arbitrary code or cause instability. Users are advised to upgrade to the latest version to mitigate this risk.

Affected Version(s)

libwebp 0.4.2 < 1.3.1

libwebp 0.4.2 < 1.3.0-8-ga486d800

References

https://chromium.googlesource.com/webm/libwebp

https://security.gentoo.org/glsa/202309-05

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2023
Vulnerability Reserved
Apr 12, 2023

Chromium

What is CVE-2023-1999?

Affected Version(s)

References

CVSS V3.1

Timeline