CVE-2023-1999: 
vulnerability analysis and mitigation

A double-free vulnerability was discovered in libwebp, identified as CVE-2023-1999. The vulnerability exists in the ApplyFiltersAndEncode() function where an attacker can loop through to free best.bw and assign best = trial pointer. This security flaw was disclosed in May 2023 and affects the WebP image format library, which is used for both lossy and lossless compression of digital photographic images (Ubuntu Security, Red Hat Portal).

The vulnerability occurs when the second loop returns 0 due to an Out of memory error in VP8 encoder, while the pointer remains assigned to trial, causing the AddressSanitizer to attempt a double free. The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (High), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction. The scope is unchanged, with no impact on confidentiality and integrity, but high impact on availability (Ubuntu Security).

The exploitation of this vulnerability could lead to memory corruption and potentially result in a remotely exploitable condition. The primary impact is on system availability, with no direct effect on confidentiality or integrity of the system (Red Hat Portal).

Multiple vendors have released patches to address this vulnerability. Ubuntu has fixed the issue across multiple versions, including version 1.2.4-0.1ubuntu1 for newer releases and backported fixes for older versions. Red Hat has also released security updates for affected versions of libwebp in their Enterprise Linux distributions (Ubuntu Security, Red Hat Portal).