First published: Wed Sep 06 2023(Updated: )
<p>This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see <a href="https://chromereleases.googleblog.com/2023">Google Chrome Releases</a> for more information.</p> <p>Google is aware that an exploit for CVE-2023-4863 exists in the wild.</p>
Credit: Apple Security Engineering TorontoArchitecture (SEAR) TorontoThe Citizen Lab at The University Toronto chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft Teams for Desktop | ||
Microsoft Teams for Mac | ||
Microsoft VP9 Video Extensions | ||
Microsoft WebP Image Extension | ||
Microsoft Skype | ||
nuget/magick.net-q8-x64 | <13.3.0 | 13.3.0 |
nuget/magick.net-q8-openmp-x64 | <13.3.0 | 13.3.0 |
nuget/magick.net-q8-anycpu | <13.3.0 | 13.3.0 |
nuget/magick.net-q16-x64 | <13.3.0 | 13.3.0 |
nuget/magick.net-q16-hdri-anycpu | <13.3.0 | 13.3.0 |
nuget/magick.net-q16-anycpu | <13.3.0 | 13.3.0 |
rust/webp | <0.2.6 | 0.2.6 |
pip/Pillow | <10.0.1 | 10.0.1 |
go/github.com/chai2010/webp | >=1.0.0 | |
nuget/SkiaSharp | >=2.0.0<2.88.6 | 2.88.6 |
npm/electron | >=27.0.0-beta.1<27.0.0-beta.2 | 27.0.0-beta.2 |
npm/electron | >=26.0.0<26.2.1 | 26.2.1 |
npm/electron | >=25.0.0<25.8.1 | 25.8.1 |
npm/electron | >=24.0.0<24.8.3 | 24.8.3 |
npm/electron | >=22.0.0<22.3.24 | 22.3.24 |
rust/libwebp-sys | <0.9.3 | 0.9.3 |
rust/libwebp-sys2 | <0.1.8 | 0.1.8 |
Google Android | ||
Microsoft Edge | <117.0.2045.31 | |
Google Chromium WebP | ||
Microsoft Edge (Chromium-based) | ||
Google Chrome | <117.0.5938.62 | 117.0.5938.62 |
Mozilla Firefox | <117.0.1 | 117.0.1 |
Mozilla Firefox ESR | <102.15.1 | 102.15.1 |
Mozilla Firefox ESR | <115.2.1 | 115.2.1 |
Mozilla Thunderbird | <102.15.1 | 102.15.1 |
Mozilla Thunderbird | <115.2.2 | 115.2.2 |
Google Chrome | <116.0.5845.187 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
Fedoraproject Fedora | =39 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Debian Debian Linux | =12.0 | |
Mozilla Firefox | <117.0.1 | |
Mozilla Firefox ESR | <102.15.1 | |
Mozilla Firefox ESR | >=115.0<115.2.1 | |
Mozilla Thunderbird | <102.15.1 | |
Mozilla Thunderbird | >=115.0<115.2.2 | |
Microsoft Edge | <117.0.2045.31 | |
Webmproject Libwebp | <1.3.2 | |
ubuntu/firefox | <117.0.1+ | 117.0.1+ |
ubuntu/firefox | <117.0.1 | 117.0.1 |
ubuntu/libwebp | <0.6.1-2ubuntu0.18.04.2+ | 0.6.1-2ubuntu0.18.04.2+ |
ubuntu/libwebp | <0.6.1-2ubuntu0.20.04.3 | 0.6.1-2ubuntu0.20.04.3 |
ubuntu/libwebp | <1.2.2-2ubuntu0.22.04.2 | 1.2.2-2ubuntu0.22.04.2 |
ubuntu/libwebp | <1.2.4-0.1ubuntu0.23.04.2 | 1.2.4-0.1ubuntu0.23.04.2 |
ubuntu/libwebp | <1.2.4-0.2ubuntu1 | 1.2.4-0.2ubuntu1 |
ubuntu/libwebp | <1.2.4-0.2ubuntu1 | 1.2.4-0.2ubuntu1 |
ubuntu/thunderbird | <1:102.15.1+ | 1:102.15.1+ |
ubuntu/thunderbird | <1:102.15.1+ | 1:102.15.1+ |
ubuntu/thunderbird | <1:102.15.1+ | 1:102.15.1+ |
ubuntu/thunderbird | <1:115.2.3+ | 1:115.2.3+ |
ubuntu/thunderbird | <1:115.2.3+ | 1:115.2.3+ |
ubuntu/thunderbird | <115.2.2 | 115.2.2 |
debian/chromium | <=90.0.4430.212-1~deb10u1 | 120.0.6099.224-1~deb11u1 121.0.6167.139-1~deb12u1 124.0.6367.155-1~deb12u1 124.0.6367.118-1 124.0.6367.155-1 |
debian/firefox | 125.0.3-1 | |
debian/firefox-esr | <=91.12.0esr-1~deb10u1 | 115.10.0esr-1~deb10u1 115.7.0esr-1~deb11u1 115.10.0esr-1~deb11u1 115.7.0esr-1~deb12u1 115.10.0esr-1~deb12u1 115.10.0esr-1 |
debian/libwebp | <=0.6.1-2+deb10u1 | 0.6.1-2+deb10u3 0.6.1-2.1+deb11u2 1.2.4-0.2+deb12u1 1.3.2-0.4 1.4.0-0.1 |
debian/thunderbird | <=1:91.12.0-1~deb10u1 | 1:115.10.1-1~deb10u1 1:115.7.0-1~deb11u1 1:115.10.1-1~deb11u1 1:115.7.0-1~deb12u1 1:115.10.1-1~deb12u1 1:115.10.1-1 |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2023-4863 is a vulnerability in Google Chromium WebP that allows a remote attacker to perform an out-of-bounds memory write.
Microsoft Edge (Chromium-based), Google Chromium WebP, Microsoft Edge, Mozilla Firefox, Mozilla Firefox ESR, Mozilla Thunderbird, and libwebp are affected by CVE-2023-4863.
CVE-2023-4863 has a severity rating of critical (8.8).
To fix the CVE-2023-4863 vulnerability, update your software to the latest version provided by the respective vendors or apply the available patches.
You can find more information about CVE-2023-4863 on the Microsoft Security Response Center (MSRC) website, Google Chrome Releases blog, and Bugzilla Mozilla website.