CVE-2023-4863: Heap Overflow vulnerability in libwebp-sys2 (crates.io)

What is CVE-2023-4863 About?

This critical vulnerability is a heap overflow in libwebp, leading to Remote Code Execution (RCE). Google has confirmed active exploitation in the wild, indicating high impact and relatively easy exploitability. Updating libwebp to version 1.3.2 patches the 'OOB write in BuildHuffmanTable' issue.

Affected Software

libwebp-sys2
- >0.0.0-0, <0.1.8
- <0.1.8
libwebp-sys
- <0.9.3
- >0.0.0-0, <0.9.3
electron
- >26.0.0, <26.2.1
- >27.0.0-beta.1, <27.0.0-beta.2
- >24.0.0, <24.8.3
- >25.0.0, <25.8.1
- >22.0.0, <22.3.24
SkiaSharp
- >2.0.0, <2.88.6
github.com/chai2010/webp
- >1.1.2, <1.4.0
- <0.0.0-20250406010349-76805d5a8860
- >0.0.0, <1.1.2-0.20250406010349-76805d5a8860
pillow
- <10.0.1
webp
- <0.2.6
magick.net-q16-anycpu
- <13.3.0
magick.net-q16-hdri-anycpu
- <13.3.0
magick.net-q16-x64
- <13.3.0
magick.net-q8-anycpu
- <13.3.0
magick.net-q8-openmp-x64
- <13.3.0
magick.net-q8-x64
- <13.3.0

Technical Details

The libwebp library is affected by a heap overflow vulnerability stemming from an out-of-bounds write within the BuildHuffmanTable function. This flaw allows an attacker to craft a malicious WebP image file. When a vulnerable application processes this file, the incorrect bounds checking in BuildHuffmanTable results in data being written outside of its allocated memory buffer on the heap. This heap corruption can be leveraged by an attacker to achieve arbitrary code execution in the context of the vulnerable application, leading to a full compromise of the system.

What is the Impact of CVE-2023-4863?

Successful exploitation may allow attackers to achieve remote code execution, giving them full control over the affected system, disclose sensitive information, or cause denial of service.

What is the Exploitability of CVE-2023-4863?

Exploitation is of moderate complexity, involving the creation of a specially crafted WebP image. No authentication is required, and no special privileges are needed from the attacker's perspective. It is a remote vulnerability, as the attacker only needs to entice a user or application to process a malicious WebP image (e.g., via a web page, email, or messaging application). The active exploitation in the wild significantly increases the likelihood and risk associated with this vulnerability.

What are the Known Public Exploits?

PoC Author	Link	Commentary
mistymntncop	Link	PoC for CVE-2023-4863
LiveOverflow	Link	PoC for CVE-2023-4863
murphysecurity	Link	A tool for finding vulnerable libwebp(CVE-2023-4863)

What are the Available Fixes for CVE-2023-4863?

Available Upgrade Options

libwebp-sys
- >0.0.0-0, <0.9.3 → Upgrade to 0.9.3
github.com/chai2010/webp
- <0.0.0-20250406010349-76805d5a8860 → Upgrade to 0.0.0-20250406010349-76805d5a8860
github.com/chai2010/webp
- >0.0.0, <1.1.2-0.20250406010349-76805d5a8860 → Upgrade to 1.1.2-0.20250406010349-76805d5a8860
github.com/chai2010/webp
- >1.1.2, <1.4.0 → Upgrade to 1.4.0
pillow
- <10.0.1 → Upgrade to 10.0.1
magick.net-q16-hdri-anycpu
- <13.3.0 → Upgrade to 13.3.0
magick.net-q16-x64
- <13.3.0 → Upgrade to 13.3.0
libwebp-sys2
- <0.1.8 → Upgrade to 0.1.8
magick.net-q16-anycpu
- <13.3.0 → Upgrade to 13.3.0
webp
- <0.2.6 → Upgrade to 0.2.6
magick.net-q8-x64
- <13.3.0 → Upgrade to 13.3.0
magick.net-q8-openmp-x64
- <13.3.0 → Upgrade to 13.3.0
magick.net-q8-anycpu
- <13.3.0 → Upgrade to 13.3.0
electron
- >22.0.0, <22.3.24 → Upgrade to 22.3.24
electron
- >24.0.0, <24.8.3 → Upgrade to 24.8.3
electron
- >25.0.0, <25.8.1 → Upgrade to 25.8.1
electron
- >26.0.0, <26.2.1 → Upgrade to 26.2.1
electron
- >27.0.0-beta.1, <27.0.0-beta.2 → Upgrade to 27.0.0-beta.2
SkiaSharp
- >2.0.0, <2.88.6 → Upgrade to 2.88.6

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-4863?

Similar Vulnerabilities: CVE-2023-5129 , CVE-2023-6625 , CVE-2023-6598 , CVE-2024-22003 , CVE-2023-38545

CVE-2023-4863 Heap Overflow vulnerability in libwebp-sys2 (crates.io)