Critical libwebp Vulnerability Under Active Exploitation – Gets Maximum CVSS Score

Critical libwebp Vulnerability Under Active Exploitation – Gets Maximum CVSS Score

Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild.

The development comes after Apple, Google, and Mozilla released fixes to contain a bug – tracked separately as CVE-2023-41064 and CVE-2023-4863 – that could cause arbitrary code execution when processing a specially crafted image. Both flaws are suspected to address the same underlying problem in the library.

According to the Citizen Lab, CVE-2023-41064 is said to have been chained with 2023-41061 as part of a zero-click iMessage exploit chain named BLASTPASS to deploy a mercenary spyware known as Pegasus. Additional technical details are currently unknown.

The disclosure arrives as Google expanded fixes for CVE-2023-4863 to include the Stable channel for ChromeOS and ChromeOS Flex with the release of version 15572.50.0 (browser version 117.0.5938.115).

It also follows new details published by Google Project Zero regarding the in-the-wild exploitation of CVE-2023-0266 and CVE-2023-26083 in December 2022 by commercial spyware vendors to target Android devices from Samsung in the U.A.E. and obtain kernel arbitrary read/write access.

The flaws are believed to have been put to use alongside three other flaws – CVE-2022-4262CVE-2022-3038CVE-2022-22706 – by a customer or partner of a Spanish spyware company known as Variston IT.

“It is also particularly noteworthy that this attacker created an exploit chain using multiple bugs from kernel GPU drivers,” security researcher Seth Jenkins said. “These third-party Android drivers have varying degrees of code quality and regularity of maintenance, and this represents a notable opportunity for attackers.”