Google Chrome, Microsoft Edge, Mozilla Firefox and Apple’s Safari browser have all been impacted by a single zero-day vulnerability tracked as CVE-2023-4863, which is caused by a heap buffer overflow in the WebP code library.
"Opening a malicious WebP image could lead to a heap buffer overflow in the content process," Mozilla said. Once exploited it can lead to system crashes and arbitrary code execution, allowing a remote attacker to perform an out-of-bounds memory write through a malicious WebP image.
"Attacks appear to be limited to Google Chrome for now; Mozilla's advisory said the company was "aware of this issue being exploited in other products in the wild."
“Since many browsers, including Microsoft Edge, Brave, Opera, and Vivaldi are built on the Chromium platform, the same platform that Chrome is based on, this could affect their users as well. The same risk is also applicable for Firefox browser clones,” saidChris Hauk, consumer privacy advocate at Pixel Privacy.
CVE-2023-4863 was first identified by researchers at The Citizen Lab, a research arm of the University of Toronto on September 6, 2023.