Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability that was exploited as a zero-day in attacks. Initially disclosed as a Chrome weakness, the flaw has now been recognized as a critical issue in libwebp with a maximum severity rating. The vulnerability involves a heap buffer overflow in WebP, impacting Google Chrome and other projects using the libwebp library. Promptly addressing the security vulnerability is crucial for ensuring data security across various platforms.
Incomplete disclosures by Apple and Google regarding critical zero-day vulnerabilities have created a "huge blindspot" that is leaving many offerings from other developers unpatched. Researchers have found evidence suggesting that the vulnerabilities reported by Apple and Google, which stem from a bug in libwebp, are likely the same. However, instead of coordinating and accurately reporting the common origin of the vulnerability, separate CVE designations were used. This has resulted in millions of applications remaining vulnerable and automated vulnerability scanners failing to detect the critical vulnerability. Google has faced criticism for limiting the scope of the vulnerability and not mentioning the widely used libwebp library.
