ALT-PU-2023-7312-7

BDU:2023-02923

HIGH7.5

Уязвимость функции EncodeAlphaInternal() библиотеки libwebp для кодирования и декодирования изображений в формате WebP браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-05-31Modified: 2025-09-05

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2023-1999

BDU:2023-05510

HIGH8.8

Уязвимость библиотеки libwebp для кодирования и декодирования изображений в формате WebP, связанная с чтением за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код

Published: 2023-09-13Modified: 2025-09-05

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2023-4863

CVE-2023-1999

HIGH7.5

There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.

Published: 2023-06-20Modified: 2025-02-13

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2023-4863

HIGH8.8

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Published: 2023-09-12Modified: 2025-10-24

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-94vc-p8w7-5p49

NONE

Bundled libwebp in imagecodecs vulnerable

Published: 2023-10-05

References

GHSA-cxjf-x6jp-p7mc

HIGH8.6

opencv-contrib-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

Published: 2024-08-31

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0HIGH 8.6

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GHSA-j7hp-h8jx-5ppr

HIGH8.8

libwebp: OOB write in BuildHuffmanTable

Published: 2023-09-12Modified: 2025-07-09

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-jh2j-j4j9-crg3

HIGH8.6

opencv-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

Published: 2024-08-31

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0HIGH 8.6

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GHSA-qr4w-53vh-m672

HIGH8.6

opencv-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

Published: 2024-08-31Modified: 2024-08-31

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0HIGH 8.6

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GHSA-w2pj-9cgh-mq2c

HIGH8.6

opencv-contrib-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

Published: 2024-08-31

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0HIGH 8.6

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GHSA-wqcr-xm43-hpqr

HIGH8.8

Vulnerable version of libwebp and can be exploited with a malicious source image

Published: 2023-10-06

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Package update libwebp in branch p10

Closed issues (11)

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Bundled libwebp in imagecodecs vulnerable

opencv-contrib-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

libwebp: OOB write in BuildHuffmanTable

opencv-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

opencv-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

opencv-contrib-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

Vulnerable version of libwebp and can be exploited with a malicious source image