CVE-2023-4863

high KEV

Published 2023-09-12 · Modified 2023-09-22

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

9.5

Description

Important: firefox security update

CISA KEV

Vendor: Google
Product: Chromium WebP
Due date: 2023-10-04

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2023-5200.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2023-5224.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2023-5214.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2023-5201.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2023:5201

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2023-5184.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2023:5184

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2023-5309.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2238431

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2023:5309

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html?m=1; https://nvd.nist.gov/vuln/detail/CVE-2023-4863

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2023:5214

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2023-4863.html

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2023:5184

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2023:5309

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2023:5201

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-4863

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2023:5224

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2023:5214

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2023:5200

Exploits

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
debian	bookworm	fixed	`117.0.5938.62-1`
debian	bullseye	fixed	`117.0.5938.62-1`
debian	forky	fixed	`117.0.5938.62-1`
debian	sid	fixed	`117.0.5938.62-1`
debian	trixie	fixed	`117.0.5938.62-1`
rocky	8	fixed
sles		affected
rocky	9	fixed

Package impact

Ecosystem	Package	Vulnerable	Fixed
crates.io	libwebp-sys
crates.io	libwebp-sys2
crates.io	libwebp-sys2	`<0.1.8`	`0.1.8`
crates.io	libwebp-sys	`<0.9.3`	`0.9.3`
npm	electron	`>=22.0.0,<22.3.24`	`22.3.24`
npm	electron	`>=24.0.0,<24.8.3`	`24.8.3`
npm	electron	`>=25.0.0,<25.8.1`	`25.8.1`
npm	electron	`>=26.0.0,<26.2.1`	`26.2.1`
npm	electron	`>=27.0.0-beta.1,<27.0.0-beta.2`	`27.0.0-beta.2`
NuGet	SkiaSharp	`>=2.0.0,<2.88.6`	`2.88.6`
Go	github.com/chai2010/webp	`>=1.1.2,<1.4.0`	`1.4.0`
PyPI	pillow	`<10.0.1`	`10.0.1`
crates.io	webp	`<0.2.6`	`0.2.6`
NuGet	magick.net-q16-anycpu	`<13.3.0`	`13.3.0`
NuGet	magick.net-q16-hdri-anycpu	`<13.3.0`	`13.3.0`
NuGet	magick.net-q16-x64	`<13.3.0`	`13.3.0`
NuGet	magick.net-q8-anycpu	`<13.3.0`	`13.3.0`
NuGet	magick.net-q8-openmp-x64	`<13.3.0`	`13.3.0`
NuGet	magick.net-q8-x64	`<13.3.0`	`13.3.0`
Go	github.com/chai2010/webp	`<0.0.0-20250406010349-76805d5a8860`	`0.0.0-20250406010349-76805d5a8860`
Go	github.com/chai2010/webp	`>=0.0.0,<1.1.2-0.20250406010349-76805d5a8860`	`1.1.2-0.20250406010349-76805d5a8860`
crates.io	libwebp-sys	`>=0.0.0-0,<0.9.3`	`0.9.3`
crates.io	libwebp-sys2	`>=0.0.0-0,<0.1.8`	`0.1.8`

References

Verify integrity in audit chain (admin only). AS-IS.