Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild.
Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm -
With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.
The development comes after Apple, Google, and Mozilla released fixes to contain a bug – tracked separately as CVE-2023-41064 and CVE-2023-4863 – that could cause arbitrary code execution when processing a specially crafted image. Both flaws are suspected to address the same underlying problem in the library.
According to the Citizen Lab, CVE-2023-41064 is said to have been chained with 2023-41061 as part of a zero-click iMessage exploit chain named BLASTPASS to deploy a mercenary spyware known as Pegasus. Additional technical details are currently unknown.
But the decision to "wrongly scope" CVE-2023-4863 as a vulnerability in Google Chrome belied the fact that it also virtually affects every other application that relies on the libwebp library to process WebP images, indicating it had a broader impact than previously thought.
An analysis from Rezillion last week revealed a laundry list of widely used applications, code libraries, frameworks, and operating systems that are vulnerable to CVE-2023-4863.
"This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed," the company said. "Consequently, a multitude of software, applications, and packages have adopted this library, or even adopted packages that libwebp is their dependency."
"The sheer prevalence of libwebp extends the attack surface significantly, raising serious concerns for both users and organizations."
The disclosure arrives as Google expanded fixes for CVE-2023-4863 to include the Stable channel for ChromeOS and ChromeOS Flex with the release of version 15572.50.0 (browser version 117.0.5938.115).
It also follows new details published by Google Project Zero regarding the in-the-wild exploitation of CVE-2023-0266 and CVE-2023-26083 in December 2022 by commercial spyware vendors to target Android devices from Samsung in the U.A.E. and obtain kernel arbitrary read/write access.
The flaws are believed to have been put to use alongside three other flaws – CVE-2022-4262, CVE-2022-3038, CVE-2022-22706 – by a customer or partner of a Spanish spyware company known as Variston IT.
"It is also particularly noteworthy that this attacker created an exploit chain using multiple bugs from kernel GPU drivers," security researcher Seth Jenkins said. "These third-party Android drivers have varying degrees of code quality and regularity of maintenance, and this represents a notable opportunity for attackers."
Update
The CVE numbering authority has rejected CVE-2023-5129 for being a duplicate of CVE-2023-4863.