Analysts said Wednesday that security teams should prioritize remediating the vulnerability involving a heap buffer overflow in the libwebp (WebP) library that Google identified on Monday.The vulnerability — CVE-2023-5129 — was given a critical 10.0 CVSS score by Google and a high-severity 8.8 score by NIST.While the reason for the score discrepancy was not immediately clear, security pros said the flaw could lead to out-of-bounds memory writes that could let attackers execute arbitrary code using maliciously crafted HTML pages.“This vulnerability had the potential to impact a broad range of major browsers and applications, which could also contribute to its maximum severity rating by Google,” said Callie Guenther, senior manager, cyber threat research at Critical Start. “Additionally, it was reported to be actively exploited in the wild, further justifying a high CVSS score. As for the discrepancy in the scores, the perspectives of the two entities could vary, with Google viewing the vulnerability through the lens of an affected vendor, and NIST acting as a third-party evaluator.”WebP is a modern image format that delivers superior lossless and lossy compression for images on the web. Using WebP, webmasters and web developers can create smaller, richer images that make the web faster.
Patch/Configuration Management, Vulnerability Management
Google gives WebP library heap buffer overflow a critical score, but NIST rates it as high-severity

A vulnerability involving a heap buffer overflow in the libwebp (WebP) library received a 10.0 CVSS from Google, but NIST rated it as 8.8. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



