CVE-2023-4863: 
vulnerability analysis and mitigation

CVE-2023-4863 is a critical heap buffer overflow vulnerability in libwebp discovered in September 2023. The vulnerability affects libwebp versions prior to 1.3.2 and allows remote attackers to perform an out-of-bounds memory write via a crafted WebP image. The vulnerability was discovered by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School on September 6, 2023 (Chrome Blog, Citizen Lab).

The vulnerability exists in the BuildHuffmanTable function of libwebp's lossless decoder (VP8L). The issue occurs when processing Huffman codes where the pre-calculated buffer sizes don't account for second-level table lookups. While libwebp allows codes up to 15-bits (MAXALLOWEDCODE_LENGTH), the kTableSize array only considers 8-bit first-level table lookups. When BuildHuffmanTable attempts to fill second-level tables, it may write data out-of-bounds of the allocated buffer through the ReplicateValue operation (Blog Post, GitHub Commit).

The vulnerability has been assigned a CVSS score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Successful exploitation could lead to arbitrary code execution, information disclosure, or denial of service. The vulnerability affects a wide range of applications that use libwebp, including web browsers, image viewers, and other applications that process WebP images (NVD).

The vulnerability has been patched in libwebp version 1.3.2. Major browsers and applications have released updates incorporating the fixed version: Google Chrome (116.0.5845.187), Mozilla Firefox (117.0.1), Firefox ESR (115.2.1/102.15.1), and Thunderbird (115.2.2/102.15.1). Users and administrators are strongly advised to update their software to the latest versions that include the patched libwebp library (Mozilla Advisory).

The vulnerability has garnered significant attention due to its widespread impact and active exploitation. Security researchers have noted that the vulnerability's impact extends beyond browsers to any application using the libwebp library. The security community has emphasized the importance of prompt patching, particularly given the vulnerability's inclusion in CISA's Known Exploited Vulnerabilities catalog (Arctic Wolf).