Heap-based Buffer Overflow Affecting chromium package, versions [,116.0.5845.187)



    Attack Complexity Low
    User Interaction Required
    Scope Changed
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 49.1% (98th percentile)
Expand this section
8.8 high
Expand this section
8.8 high
Expand this section
Red Hat
9.6 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 12 Sep 2023
  • disclosed 11 Sep 2023
  • credit Apple SEAR, The Citizen Lab

How to fix?

Upgrade chromium to version 116.0.5845.187 or higher.


Affected versions of this package are vulnerable to Heap-based Buffer Overflow when the ReadHuffmanCodes() function is used. An attacker can craft a special WebP lossless file that triggers the ReadHuffmanCodes() function to allocate the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.


This is only exploitable if the color_cache_bits value defines which size to use.

This vulnerability was also published on libwebp CVE-2023-5129


2023-09-12: Initial advisory publication

2023-09-27: Advisory details updated, including CVSS, references

2023-09-27: CVE-2023-5129 rejected as a duplicate of CVE-2023-4863

2023-09-28: Research and addition of additional affected libraries

2024-01-28: Additional fix information