Google warns of serious vulnerability in WebP file format

Google warns of a serious vulnerability in the WebP file format. As a result, several other companies have released patches for that bug in response, including LibreOffice.

The bug is a heap buffer overflow in WebP, the file format designed by Google but now used in many other software. Attackers could exploit the vulnerability by creating a lossless WebP file that allows the libwebp library to write code that can escape the buffer. That bug was originally discovered by security researchers and has since been fixed by Google.

Google has given the new bug a rating of 10/10, indicating that exploitation can have major consequences. This makes it possible to crash devices, but also to extract data and ultimately execute code. Last week other security researchers already speculated that the vulnerability may have been exploited in practice by Pegasus spyware maker NSO Group. That’s what those researchers wrote about a description of the exploit chainin which the vulnerability was exploited.

Google already warned about the bug last week. The company laid there CVE-2023-4863 for fixed, a bug report specific to the implementation of WebP in Chrome. However, the company received a lot of comments about this; the registration of that particular bug made it seem as if the bug only occurred in Chrome but that other services with WebP integration are not at risk. However, that turned out not to be the case; the buffer overflow could also be triggered in other software, such as Microsoft Teams and LibreOffice. The latter has now released a fix. Other services have also done this, but Google was still criticized for the limited information the company provided about the vulnerability. Therefore, Google has re-registered the bug report under CVE-2023-5129. In it, Google mentions that the bug is in WebP and not just Chrome and provides more details on how the bug can be exploited.