CVE-2023-4863

ENISA EUVD: EUVD-2023-2533 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 18 articles Published: 2023-09-12

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

93.3%

probability

This CVE has a 93.3% probability of being exploited in the next 30 days.

0% Top 99.8th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.8

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Affected Products

Google

Chrome

116.0.5845.187

Google

libwebp

1.3.2

google

chrome

fedoraproject

fedora

debian

debian linux

mozilla

firefox

mozilla

thunderbird

Google

libwebp

1.3.2 <1.3.2

Google

Chrome

116.0.5845.187 <116.0.5845.187

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

Google Project Zero

Discovered

Sept. 6, 2023

Patched

Sept. 12, 2023

Reported by

Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School

Root Cause Analysis

???

Exploits & PoC

mistymntncop/CVE-2023-4863

317 2023-12-18

LiveOverflow/webp-CVE-2023-4863

54 2024-05-13

caoweiquan322/NotEnough

This tool calculates tricky canonical huffman histogram for CVE-2023-4863.

25 2023-12-20

murphysecurity/libwebp-checker

A tool for finding vulnerable libwebp(CVE-2023-4863)

21 2023-10-07

bbaranoff/CVE-2023-4863

6 2026-01-05

GTGalaxi/ElectronVulnerableVersion

Find Electron Apps Vulnerable to CVE-2023-4863 / CVE-2023-5129

6 2023-10-01

OITApps/Find-VulnerableElectronVersion

Scans an executable and determines if it was wrapped in an Electron version vulnerable to the Chromium vulnerability CVE-2023-4863/ CVE-2023-5129

5 2023-09-29

talbeerysec/BAD-WEBP-CVE-2023-4863

BAD-WEBP-CVE-2023-4863

3 2023-09-25

huiwen-yayaya/CVE-2023-4863

3 2024-06-08

CrackerCat/CVE-2023-4863-

Triggering the famous libweb 0day vuln with libfuzzer

1 2024-02-03

jpselva/CVE-2023-4863

0 2026-04-22

577Industries/aegisgraph

AegisGraph: graph-based application-layer assessment evidence platform for Secure Messaging Applications (SMAs). DARPA ASEMA HR0011SB20254-12 Tier 3 r

0 2026-05-13

pixelotes/lab-cve-2023-4863

0 2026-05-13

13 repos — triés par ⭐ Rechercher sur GitHub ↗

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

https://crbug.com/1479274

https://en.bandisoft.com/honeyview/history/

https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a

Signal Intelligence

Confidenceⓘ

92%

EPSS 93.3%

CVSS v3.1 8.8

Mentions 18

Last Seen Jan 16, 2024

CNA Information

CNA Assigner

Chrome

Analyst Note

CVE-2023-4863 is a critical heap buffer overflow in libwebp affecting Chrome, with CVSS 8.8 and Chromium severity rating of Critical. Multiple credible sources (BleepingComputer, CERT-EU) confirm active exploitation in the wild, establishing this as a confirmed zero-day vulnerability with high confidence.

Triage Info

Decided atMar 03, 2026

Published DateSep 12, 2023