Skip to content

CefSharp affected by heap buffer overflow in WebP

Critical severity GitHub Reviewed Published Sep 16, 2023 in cefsharp/CefSharp • Updated Oct 2, 2023

Package

nuget CefSharp.Common (NuGet)

Affected versions

< 116.0.230

Patched versions

116.0.230
nuget CefSharp.Common.NETCore (NuGet)
< 116.0.230
116.0.230

Description

Google is aware that an exploit for CVE-2023-4863 exists in the wild.

Description

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

References

Updated

There is another related security vulnerability.

There's another related CVE (CVE-2023-5217) that is fixed in Chromium 117.0.5938.132. This one is triggered by WebCodecs API encoder usage, so a workaround for older versions is to disable the WebCodecs API (--disable-blink-features=WebCodecs).

As per https://magpcss.org/ceforum/viewtopic.php?f=6&t=19551#p54150

References

@amaitland amaitland published to cefsharp/CefSharp Sep 16, 2023
Published to the GitHub Advisory Database Sep 21, 2023
Reviewed Sep 21, 2023
Last updated Oct 2, 2023

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-j646-gj5p-p45g

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.