Vulnerability in Google Chrome
CVE-2023-4863
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
EPSS: 0.933 (99.8th percentile) — read the EPSS interpretation.
Affected products
- Google Chrome — versions 116.0.5845.187
- Google Libwebp — versions 1.3.2
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Public proof-of-concept exploits
References
- chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
- crbug.com/1479274
- en.bandisoft.com/honeyview/history/
- stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
- www.mozilla.org/en-US/security/advisories/mfsa2023-40/
- github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
- msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
- security-tracker.debian.org/tracker/CVE-2023-4863
- bugzilla.suse.com/show_bug.cgi
- news.ycombinator.com/item
Frequently asked questions
- What is CVE-2023-4863?
- CVE-2023-4863 is a vulnerability in Google Chrome. Published 2023-09-12.
- Is CVE-2023-4863 known to be exploited?
- Yes. CVE-2023-4863 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-09-13), indicating it is being actively exploited. 64 public proof-of-concept repositories are indexed.