Google has assigned a new CVE ID to a libwebp security vulnerability exploited as a zero-day in attacks and patched two weeks ago.
The decision to tag it as a Chrome bug caused confusion within the cybersecurity community, prompting questions regarding Google’s choice to categorize it as a Google Chrome issue rather than identifying it as a flaw in libwebp.
It has now assigned another CVE ID, CVE-2023-5129, marking it as a critical issue in libwebp with a maximum 10/10 severity rating.
Now officially recognized as a libwebp flaw, it involves a heap buffer overflow in WebP, impacting Google Chrome versions preceding 116.0.5845.187.
The reclassification of CVE-2023-5129 as a libwebp vulnerability holds particular importance due to it initially going unnoticed as a potential security threat for numerous projects using libwebp, including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers.
Google fixes another Chrome zero-day bug exploited in attacks.