Safeguard
Vulnerability Management

The libwebp heap overflow that patched half the internet: CVE-2023-4863

One heap buffer overflow in a 15-year-old image codec forced Chrome, Firefox, Edge, Electron apps, and entire Linux distros to ship emergency patches within days.

Safeguard Research Team
Research
6 min read

On September 11, 2023, Google shipped an emergency Chrome update, version 116.0.5845.187, to fix a vulnerability its own security team had already confirmed was being exploited in the wild. The bug, tracked as CVE-2023-4863, sat inside libwebp, the open-source codec every major browser relies on to render WebP images: a heap-memory bounds error that an attacker could trigger simply by luring a victim to a booby-trapped web page, corrupting memory before any application code got a chance to intervene. NVD scored it 8.8 on CVSS v3.1 — AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H — network-exploitable, low complexity, no privileges required, full compromise of confidentiality, integrity, and availability once a user opens the page. It was classified under CWE-787, out-of-bounds write, the same weakness class behind a huge share of memory-corruption zero-days. What made this disclosure different from a routine browser patch was the blast radius: because libwebp is a shared codec vendored into dozens of unrelated products, one fix in one library triggered a cascade of independent emergency releases from Google, Mozilla, Microsoft, and multiple Linux distributions, all patching the same six months-old code. This piece breaks down why a single decoding bug became a cross-vendor incident.

What exactly was broken inside libwebp?

The flaw lived in libwebp's lossless-compression decoder, specifically in the Huffman coding routine BuildHuffmanTable, which allocates a lookup table sized for the number of color codes expected in an image header. A maliciously crafted WebP file could specify a combination of image dimensions and Huffman code lengths that caused the decoder to write more table entries than the buffer it had allocated, corrupting adjacent heap memory. Because the write happens during image decode, before any application-level validation runs, the attacker only needed the victim's browser (or any app linking libwebp) to render the image. Google's security team, working with Apple's engineers who first flagged related crash reports, confirmed active exploitation before the public advisory went out. NVD published the entry on September 12, 2023, crediting Chrome as the reporting source, and the fix landed in libwebp 1.3.2 — a patch that rewrote the bounds check governing table allocation size relative to the declared code lengths.

Why did the bug spread to browsers that aren't Chromium-based?

libwebp isn't a Google-only dependency — it's the de facto reference implementation for WebP decoding that nearly every major rendering engine links against, either as a system library or a vendored copy. Mozilla shipped patched Firefox and Thunderbird builds within days of Google's disclosure because Gecko uses the same libwebp code for image decoding. Microsoft Edge needed its own advisory even though it consumes Chromium, since Microsoft maintains and ships its own binary builds on its own release cadence. NVD's affected-configuration list also names Debian and Fedora, because both distributions package libwebp as a shared system library (libwebp.so) that dozens of other installed packages dynamically link against rather than bundling their own copy. That single shared object meant a distro-level apt or dnf update could remediate every consumer of the library at once — but only for packages that hadn't statically vendored their own copy, which is precisely where the story gets harder.

Why did Electron and desktop chat apps need separate patches too?

Any application built on Electron, or on Chromium Embedded Framework, ships its own bundled copy of Chromium's rendering stack — including libwebp — inside the app package rather than relying on the operating system's shared library. That means 1Password, Signal, Slack, Discord, and a long list of other Electron-based desktop apps were each independently vulnerable and each needed their own rebuild against a patched Chromium or libwebp version, on their own release timeline, regardless of how quickly Google or the OS vendor patched. This is the core lesson security researchers pointed to at the time: a vulnerability in a widely vendored codec doesn't get fixed when the upstream project patches it — it gets fixed only when every downstream consumer that statically links or bundles that code rebuilds and re-ships. Some vendors initially misattributed their exposure to the wrong component (early advisories from a few projects cited "libvpx" before correcting to libwebp), reflecting how difficult it was even for engineering teams to quickly map a vendored transitive dependency back to its actual origin.

How urgent did government and industry treat this vulnerability?

CISA added CVE-2023-4863 to its Known Exploited Vulnerabilities (KEV) catalog with a remediation action-due date of October 4, 2023, meaning federal civilian agencies had roughly three weeks under Binding Operational Directive 22-01 to patch or disable affected software. KEV listing is reserved for vulnerabilities CISA has confirmed are being actively exploited, not merely theoretical — this one qualified because Google's own advisory disclosed in-the-wild exploitation ahead of the patch. The advisory trail that followed spanned vendor bulletins from Google, Microsoft, and Mozilla, distribution security-tracker entries from Debian and Fedora, and the GitHub commit that shipped the actual bounds-check fix in the libwebp repository — a reference chain that, in itself, illustrates how many independent parties had to coordinate disclosure and patch timing around a single upstream commit.

What made this incident harder to fully remediate than a typical CVE?

Unlike a vulnerability confined to one application, CVE-2023-4863 required organizations to answer a question standard vulnerability scanners often can't: does any installed application, anywhere in this environment, bundle libwebp at any depth in its own build, independent of the operating system's patched copy? A scanner that only checks OS package manifests would report the system as remediated once apt upgrade ran, while an unpatched Electron app sitting in /opt with its own bundled Chromium remained exploitable. Security teams that relied on surface-level SBOMs generated at build time, rather than deep runtime or filesystem inspection, frequently missed these vendored copies entirely, because the vulnerable binary was several directories and a few dependency hops away from anything a manifest-only scan would list as a top-level package.

How Safeguard Helps

libwebp is exactly the shape of dependency that shallow scanning misses: a shared, vendored library that shows up several levels deep in a dependency graph rather than as a direct, declared dependency. Safeguard's deep dependency scanning walks resolved dependency graphs up to 100 levels — well past the 50-60 level ceiling common in other SCA tools — and captures the full path from an application's root down to a vulnerable node, so a libwebp-class bug buried inside a bundled Electron runtime or a transitive image-processing library doesn't disappear into a manifest gap. On top of that, Safeguard's vulnerability tracking ingests CISA's KEV catalog and EPSS scores alongside CVSS, so a finding that's flagged as actively exploited in the wild — as CVE-2023-4863 was before its patch even shipped — is surfaced and prioritized ahead of the hundreds of lower-urgency CVEs sitting in a typical backlog, rather than waiting to be triaged in severity order alone.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.