TLDR: PLEASE UPDATE YOUR GOOGLE CHROME IMMEDIATELY
A critical zero-day vulnerability recently disclosed in the WebP image library also known as 0day in WebP poses a significant security risk across numerous software applications and platforms.
Originally reported by Apple and Citizen Lab which was tracked as CVE-2023-4863 specific to Google Chrome, now has since been reclassified as CVE-2023-5129 and correctly attributed as a flaw in libwebp with a maximum 10/10 severity rating.
By crafting malicious WebP images and getting victims to open them, attackers could leverage this bug to execute arbitrary code and access sensitive user data.
Ben Hawkes (former Project Zero manager) also wrote about this 0day, and he had this to say about it:
“The bad news is that Android is still likely affected. Similar to Apple’s ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn’t released a security bulletin that includes a fix for CVE-2023-4863 — although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I’d expect it to be fixed in the October bulletin.”