A recently discovered critical security vulnerability in the WebP codec allows attackers to trigger a heap buffer overflow in numerous widely-used applications when a specially crafted image is opened. According to a report by Stackdiary, not only web browsers like Chrome, Firefox, Brave, and Edge are affected, but also countless other apps that utilize the Libwebp library.
The buffer overflow in the WebP library could potentially allow attackers to take control of a target system, steal data, or install malware. Google has also confirmed that the security vulnerability is actively being exploited by attackers.
Security updates addressing the vulnerability have already been released for the four mentioned web browsers. Other Chromium-based web browsers are likely to receive a corresponding patch soon if it’s not already available.
Affects More Than Just Google Chrome Although the security vulnerability is often attributed solely to Google Chrome, Stackdiary emphasizes that this is not the case. The report lists several other applications that also use the vulnerable library to render WebP images and are potentially affected. This includes software such as Affinity, Gimp, Inkscape, Libreoffice, Telegram, Signal, Thunderbird, 1Password, and Ffmpeg.
In essence, the problem affects a wide range of apps developed for various platforms using frameworks like Electron or Flutter. Some of these apps have already received patches, while others have not. Even the Electron framework developed by GitHub now has a patch available.
Given the severity of this security vulnerability, users are advised to keep their web browsers and other applications up to date. It’s expected that many apps will receive updates in the coming days and weeks to address the WebP vulnerability.