_ _ _ __ __
_ __ ___ __ _ _ __| | __ ___ __ _ _ __ __| (_)/ _|/ _|
| '_ ` _ \ / _` | '__| |/ / / __/ _` | '__/ _` | | |_| |
| | | | | | (_| | | | < | (_| (_| | | | (_| | | _| _|
|_| |_| |_|\__,_|_| |_|\_\ \___\__,_|_| \__,_|_|_| |_|
The libwebp library is a codec (enCOde and DECode) for images created by Google.
The CVE can be exploited using a malicious webp file to cause a buffer overflow, which in theory can be followed up by Remote Code Execution
This seems to be linked to an Apple CVE (BLASTPASS) CVE-2023-41064, CVE-2023-41061).
While Google says it has been exploited in the wild, there is no other evidence, nor is their a working POC of the exploit.
Its possible that the BLASTPASS vulnerability which impacted iphones was the active exploitation.
Their is a POC of a crafted webp file that will crash the dwebp (decompresser) but appears to just not load in browsers.
github.com/mistymtnncop/CVE-2023-4863
There was a bad webp file here, but I took it out. It just showed as a broken img.
This file does not necessarily crash all vulnerable systems.
It is recommended to patch any affected software, especially web browsers.