Double Free Affecting libwebp package, versions <1.3.0-r3


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Social Trends
EPSS
0.95% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE322-LIBWEBP-10277744
  • published31 May 2025
  • disclosed20 Jun 2023

Introduced: 20 Jun 2023

CVE-2023-1999  (opens in a new tab)
CWE-415  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade Alpine:3.22 libwebp to version 1.3.0-r3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libwebp package and not the libwebp package as distributed by Alpine. See How to fix? for Alpine:3.22 relevant fixed versions and status.

There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.

CVSS Base Scores

version 3.1