https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
The heap buffer overflow (CVE-2023-4863) vulnerability in the WebP Codec is being actively exploited in the wild.
A significant vulnerability in the WebP Codec has been unearthed, prompting major browser vendors, including Google and Mozilla, to expedite the release of updates to address the issue.
Update (9/13/2023): So far the Web Browsers that have confirmed a fix and released an update include: Google Chrome[1], Mozilla Firefox[2], Brave[3], and Microsoft Edge[4]. If your browser of choice is using Chromium then expect an update to already be rolled out or will be done shortly.
⚠️ Important: Let me make it perfectly clear that this vulnerability doesn’t just affect web browsers, it affects any software that uses the libwebp library…
Who uses libwebp? There are a lot of applications that use libwebp to render WebP images, I already mentioned a few of them, but some of the others that I know include: Affinity (the design software), Gimp, Inkscape, LibreOffice, Telegram, Thunderbird (now patched), ffmpeg, and many, many Android applications as well as cross-platform apps built with Flutter.
Update (9/14/2023): 1Password for Mac have released an update to address the issue. 1Password (like many others) is an application built with Electron, and until all these apps upgrade to the latest version – they are considered vulnerable based on the severity of the bug…
