![]() ![]() ![]() Citizen Lab reports that CVE-2023–41064 was used as part of a zero-click iMessage exploit chain called BLASTPASS to deploy the notorious Pegasus spyware. Both vulnerabilities are believed to be related to the same core problem in the libwebp library. These bugs could lead to arbitrary code execution when dealing with a maliciously crafted image. This recent development follows after a similar bug was addressed by Apple, Google, and Mozilla, labeled under CVE codes CVE-2023–41064 and CVE-2023–4863. The ReadHuffmanCodes() function and the ReplicateValue area are particularly impacted by this flaw. The flaw arises from an issue in the Huffman coding algorithm which, with a specially crafted WebP lossless file, can lead to out-of-bounds data writing to the heap. This vulnerability, identified as CVE-2023–5129, has received the maximum severity score of 10.0 on the CVSS rating scale. Google has acknowledged a new and severe security flaw in the libwebp image library, which handles the rendering of WebP format images. ![]() UPDATE: CVE-2023–5129 has now been rejected and instead is being ref er red to as its predecessor only, CVE-2023–4863 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |