Google reassigns CVE-2023-5129, a critical libwebp vulnerability initially mistaken as Chrome flaw, affecting numerous popular browsers.

Continue reading
Google has reassigned a zero-day vulnerability to the open-source libwebp library. The flaw, initially identified as a Chrome weakness CVE-2023-4863, has now been allocated a new CVE ID: CVE-2023-5129. This reclassification bears critical implications for the cybersecurity community and projects dependent on libwebp.
Google's acknowledgment of CVE-2023-5129 as a critical issue within libwebp, marked with a maximum severity rating of 10/10, brings into focus the pivotal role this library plays in various projects.
CVE-2023-5129 revolves around a heap buffer overflow in WebP, impacting Google Chrome versions preceding 116.0.5845.187. Its core resides in the Huffman coding algorithm employed by libwebp for lossless compression. This vulnerability provides malevolent actors the capability to execute out-of-bounds memory writes, exploiting maliciously crafted HTML pages.
Such exploits wield immense power, ranging from system crashes to the execution of arbitrary code and unauthorized access to sensitive data.
The reclassification of CVE-2023-5129 has profound implications for projects across the spectrum. This critical rating elevates the urgency of addressing the security vulnerability, which now appears under multiple CVE IDs, each with distinct severity ratings.
Libwebp's inconspicuous role in numerous projects, including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers, underscores the breadth of its reach. These platforms are now in the spotlight due to this vulnerability's heightened criticality.
The initial classification of this vulnerability as a Chrome weakness (CVE-2023-4863) left the cybersecurity community puzzled. Questions arose regarding Google's decision to categorize it within Chrome rather than attributing it to libwebp.
Notably, security consulting firm founder Ben Hawkes, formerly leading Google's Project Zero team, drew connections between CVE-2023-4863 and CVE-2023-41064. The latter vulnerability, addressed by Apple on September 7, was exploited in a zero-click iMessage exploit chain known as BLASTPASS. This chain aimed to compromise fully patched iPhones with NSO Group's Pegasus commercial spyware.
Fortunately, this security concern did not linger unresolved. The joint report by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School on September 6 triggered prompt action from Google. Less than a week later, the issue was effectively patched.
Citizen Lab's track record in detecting and exposing zero-day vulnerabilities used in targeted spyware campaigns is noteworthy. These campaigns typically target high-risk individuals, such as journalists and opposition politicians, often attributed to state-sponsored threat actors.
Google's reclassification of the zero-day vulnerability as CVE-2023-5129, marking it as a critical issue within libwebp, signifies a pivotal moment in the cybersecurity landscape. The heap buffer overflow within the WebP format has far-reaching implications, affecting a multitude of projects. This reevaluation underscores the necessity for immediate action across various platforms to safeguard user data.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.