First published: Wed Sep 06 2023(Updated: )
<p>This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see <a href="https://chromereleases.googleblog.com/2023">Google Chrome Releases</a> for more information.</p> <p>Google is aware that an exploit for CVE-2023-4863 exists in the wild.</p>
Credit: Apple Security Engineering TorontoArchitecture (SEAR) TorontoThe Citizen Lab at The University Toronto chrome-cve-admin@google.com chrome-cve-admin@google.com chrome-cve-admin@google.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft Teams for Desktop | ||
Microsoft Teams for Mac | ||
Microsoft VP9 Video Extensions | ||
Microsoft WebP Image Extension | ||
Microsoft Skype | ||
nuget/magick.net-q8-x64 | <13.3.0 | 13.3.0 |
nuget/magick.net-q8-openmp-x64 | <13.3.0 | 13.3.0 |
nuget/magick.net-q8-anycpu | <13.3.0 | 13.3.0 |
nuget/magick.net-q16-x64 | <13.3.0 | 13.3.0 |
nuget/magick.net-q16-hdri-anycpu | <13.3.0 | 13.3.0 |
nuget/magick.net-q16-anycpu | <13.3.0 | 13.3.0 |
rust/webp | <0.2.6 | 0.2.6 |
pip/Pillow | <10.0.1 | 10.0.1 |
go/github.com/chai2010/webp | >=1.0.0 | |
nuget/SkiaSharp | >=2.0.0<2.88.6 | 2.88.6 |
npm/electron | >=27.0.0-beta.1<27.0.0-beta.2 | 27.0.0-beta.2 |
npm/electron | >=26.0.0<26.2.1 | 26.2.1 |
npm/electron | >=25.0.0<25.8.1 | 25.8.1 |
npm/electron | >=24.0.0<24.8.3 | 24.8.3 |
npm/electron | >=22.0.0<22.3.24 | 22.3.24 |
rust/libwebp-sys | <0.9.3 | 0.9.3 |
rust/libwebp-sys2 | <0.1.8 | 0.1.8 |
Microsoft Edge | <117.0.2045.31 | |
Microsoft Edge (Chromium-based) | ||
Mozilla Firefox | <117.0.1 | 117.0.1 |
Mozilla Firefox ESR | <102.15.1 | 102.15.1 |
Mozilla Firefox ESR | <115.2.1 | 115.2.1 |
Mozilla Thunderbird | <102.15.1 | 102.15.1 |
Mozilla Thunderbird | <115.2.2 | 115.2.2 |
Google Chrome | <116.0.5845.187 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
Fedoraproject Fedora | =39 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Debian Debian Linux | =12.0 | |
Mozilla Firefox | <117.0.1 | |
Mozilla Firefox ESR | <102.15.1 | |
Mozilla Firefox ESR | >=115.0<115.2.1 | |
Mozilla Thunderbird | <102.15.1 | |
Mozilla Thunderbird | >=115.0<115.2.2 | |
Microsoft Edge | <117.0.2045.31 | |
Webmproject Libwebp | <1.3.2 | |
Microsoft Edge Chromium | <117.0.5938.62 | |
Microsoft Teams | =1.6.00.26463 | |
Microsoft Teams Desktop | =1.6.00.26474 | |
Microsoft WebP Image Extension | =1.0.62681.0 | |
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Bentley Seequent Leapfrog | <2023.2 | |
Google Chromium WebP | ||
Google Chrome | <116.0.5845.187 | 116.0.5845.187 |
Google Android | ||
debian/chromium | 120.0.6099.224-1~deb11u1 128.0.6613.84-1~deb12u1 130.0.6723.69-1~deb12u1 129.0.6668.89-1 130.0.6723.69-1 | |
debian/firefox | 131.0.3-1 | |
debian/firefox-esr | 115.14.0esr-1~deb11u1 128.3.1esr-1~deb11u1 115.14.0esr-1~deb12u1 128.3.1esr-1~deb12u1 128.3.1esr-2 | |
debian/libwebp | 0.6.1-2.1+deb11u2 1.2.4-0.2+deb12u1 1.4.0-0.1 | |
debian/thunderbird | 1:115.12.0-1~deb11u1 1:115.16.0esr-1~deb11u1 1:115.12.0-1~deb12u1 1:115.16.0esr-1~deb12u1 1:128.3.2esr-1 |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2023-4863 is a vulnerability in Google Chromium WebP that allows a remote attacker to perform an out-of-bounds memory write.
Microsoft Edge (Chromium-based), Google Chromium WebP, Microsoft Edge, Mozilla Firefox, Mozilla Firefox ESR, Mozilla Thunderbird, and libwebp are affected by CVE-2023-4863.
CVE-2023-4863 has a severity rating of critical (8.8).
To fix the CVE-2023-4863 vulnerability, update your software to the latest version provided by the respective vendors or apply the available patches.
You can find more information about CVE-2023-4863 on the Microsoft Security Response Center (MSRC) website, Google Chrome Releases blog, and Bugzilla Mozilla website.