HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2023-4863

CVSS 8.8v3.1pub. 2023-09-12upd. 2025-10-24

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Bandisoft Honeyview

    APP
    Bandisoft
    < 5.51
  • Bentley Seequent Leapfrog

    APP
    Bentley
    < 2023.2
  • Debian

    OS
    Debian
    10.011.012.0
  • Fedora Project Fedora

    OS
    Fedoraproject
    373839
  • Google Chrome

    APP
    Google
    < 116.0.5845.187
  • Microsoft Edge

    APP
    Microsoft
    < 116.0.1938.81
  • Microsoft Teams

    APP
    Microsoft
    < 1.6.00.26463< 1.6.00.26474
  • Microsoft Webp Image Extension

    APP
    Microsoft
    < 1.0.62681.0
  • Mozilla Firefox

    APP
    Mozilla
    < 102.15.1< 117.0.1115.1.0 – 115.2.1 (bez)
  • Mozilla Thunderbird

    APP
    Mozilla
    115.0 – 115.2.2 (bez)< 102.15.1
  • Netapp Active Iq Unified Manager

    APP
    Netapp
    wszystkie wersje
  • Webmproject Libwebp

    APP
    Webmproject
    < 1.3.2

CISA KEV — detailsi

Vendori
Google
Producti
Chromium WebP
Added to KEVi
September 13, 2023
Remediation deadline (US Federal)i
October 4, 2023(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Google Chromium WebP contains a heap-based buffer overflow vulnerability that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect applications that use the WebP Codec.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 4 października 2023
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)