Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
CVE-2023-4863
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2023-09-13), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 8.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 8.8
- EG Score
- 9.0(high)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
September 12, 2023
Last Modified
June 17, 2026
Advisory Details (10)
Auto-updated Jun 1, 2026oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/26/7oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/26/1oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/22/8oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/22/7oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/22/6oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/22/5oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/22/4oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/22/3oss-security - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/22/1oss-security - CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
http://www.openwall.com/lists/oss-security/2023/09/21/4Patch Availability(29)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(13 across 5 ecosystems)
NuGet(7)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| magick.net-q16-anycpu | 10.0.0 ... 9.1.2 (184 versions) | 13.3.0 | — |
| magick.net-q16-hdri-anycpu | 10.0.0 ... 9.1.2 (181 versions) | 13.3.0 | — |
| magick.net-q16-x64 | 10.0.0 ... 9.1.2 (200 versions) | 13.3.0 | — |
| magick.net-q8-anycpu | 10.0.0 ... 9.1.2 (184 versions) | 13.3.0 | — |
| magick.net-q8-openmp-x64 | 10.0.0 ... 9.1.2 (81 versions) | 13.3.0 | — |
| magick.net-q8-x64 | 10.0.0 ... 9.1.2 (200 versions) | 13.3.0 | — |
| SkiaSharp | 2.80.0 ... 2.88.5 (11 versions) | 2.88.6 | — |
crates.io(3)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| libwebp-sys | — | 0.9.3 | — |
| libwebp-sys2 | — | 0.1.8 | — |
| webp | — | 0.2.6 | — |
Go(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| github.com/chai2010/webp | — | 1.1.2-0.20250406010349-76805d5a8860 | — |
npm(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| electron | — | 27.0.0-beta.2 | — |
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| pillow | 1.0 ... 9.5.0 (93 versions) | 10.0.1 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
All Vendor Advisories
(25)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
- Microsoft MSRCCVE-2023-48632023-09-12
Chromium: CVE-2023-4863 Heap buffer overflow in WebP
- Red HatRHBA-2023:5988IMPORTANT2023-09-11
RHBA-2023:5988 — Important
- Red HatRHBA-2023:6004IMPORTANT2023-09-11
RHBA-2023:6004 — Important
- Red HatRHSA-2023:5183IMPORTANT2023-09-11
RHSA-2023:5183 — Important
- Red HatRHSA-2023:5184IMPORTANT2023-09-11
RHSA-2023:5184 — Important
- Red HatRHSA-2023:5185IMPORTANT2023-09-11
RHSA-2023:5185 — Important
- Red HatRHSA-2023:5186IMPORTANT2023-09-11
RHSA-2023:5186 — Important
- Red HatRHSA-2023:5187IMPORTANT2023-09-11
RHSA-2023:5187 — Important
- Red HatRHSA-2023:5188IMPORTANT2023-09-11
RHSA-2023:5188 — Important
- Red HatRHSA-2023:5189IMPORTANT2023-09-11
RHSA-2023:5189 — Important
- Red HatRHSA-2023:5190IMPORTANT2023-09-11
RHSA-2023:5190 — Important
- Red HatRHSA-2023:5191IMPORTANT2023-09-11
RHSA-2023:5191 — Important
- Red HatRHSA-2023:5192IMPORTANT2023-09-11
RHSA-2023:5192 — Important
- Red HatRHSA-2023:5197IMPORTANT2023-09-11
RHSA-2023:5197 — Important
- Red HatRHSA-2023:5198IMPORTANT2023-09-11
RHSA-2023:5198 — Important
- Red HatRHSA-2023:5200IMPORTANT2023-09-11
RHSA-2023:5200 — Important
- Red HatRHSA-2023:5201IMPORTANT2023-09-11
RHSA-2023:5201 — Important
- Red HatRHSA-2023:5202IMPORTANT2023-09-11
RHSA-2023:5202 — Important
- Red HatRHSA-2023:5204IMPORTANT2023-09-11
RHSA-2023:5204 — Important
- Red HatRHSA-2023:5205IMPORTANT2023-09-11
RHSA-2023:5205 — Important
- Red HatRHSA-2023:5214IMPORTANT2023-09-11
RHSA-2023:5214 — Important
- Red HatRHSA-2023:5222IMPORTANT2023-09-11
RHSA-2023:5222 — Important
- Red HatRHSA-2023:5223IMPORTANT2023-09-11
RHSA-2023:5223 — Important
- Red HatRHSA-2023:5224IMPORTANT2023-09-11
RHSA-2023:5224 — Important
- Red HatRHSA-2023:5236IMPORTANT2023-09-11
RHSA-2023:5236 — Important
Data Freshness Timeline
(refreshed 95× in last 7d / 402× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 573 total refreshes for this CVE.
- 2026-07-11 22:28 UTCEG score recompute
- 2026-07-11 22:28 UTCVendor advisory
- 2026-07-11 18:43 UTCEG score recompute
- 2026-07-11 18:43 UTCVendor advisory
- 2026-07-11 14:58 UTCEG score recompute
- 2026-07-11 14:58 UTCVendor advisory
- 2026-07-11 11:12 UTCEG score recompute
- 2026-07-11 11:12 UTCVendor advisory
- 2026-07-11 07:27 UTCEG score recompute
- 2026-07-11 07:27 UTCVendor advisory
- 2026-07-11 03:42 UTCEG score recompute
- 2026-07-11 03:42 UTCVendor advisory
- 2026-07-10 23:57 UTCEG score recompute
- 2026-07-10 23:57 UTCVendor advisory
- 2026-07-10 20:12 UTCEG score recompute
- 2026-07-10 20:12 UTCVendor advisory
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 16:27 UTCEG score recompute
- 2026-07-10 16:27 UTCVendor advisory
- 2026-07-10 12:42 UTCEG score recompute
- 2026-07-10 12:42 UTCVendor advisory
- 2026-07-10 08:56 UTCEG score recompute
- 2026-07-10 08:56 UTCVendor advisory
- 2026-07-10 05:11 UTCEG score recompute
- 2026-07-10 05:11 UTCVendor advisory
Show 75 moreShow fewer
- 2026-07-10 01:25 UTCEG score recompute
- 2026-07-10 01:25 UTCVendor advisory
- 2026-07-09 21:38 UTCEG score recompute
- 2026-07-09 21:38 UTCVendor advisory
- 2026-07-09 17:53 UTCEG score recompute
- 2026-07-09 17:53 UTCVendor advisory
- 2026-07-09 14:07 UTCEG score recompute
- 2026-07-09 14:07 UTCVendor advisory
- 2026-07-09 10:22 UTCEG score recompute
- 2026-07-09 10:22 UTCVendor advisory
- 2026-07-09 06:37 UTCEG score recompute
- 2026-07-09 06:37 UTCVendor advisory
- 2026-07-09 02:51 UTCEG score recompute
- 2026-07-09 02:51 UTCVendor advisory
- 2026-07-08 23:06 UTCEG score recompute
- 2026-07-08 23:06 UTCVendor advisory
- 2026-07-08 19:20 UTCEG score recompute
- 2026-07-08 19:20 UTCVendor advisory
- 2026-07-08 15:34 UTCEG score recompute
- 2026-07-08 15:34 UTCVendor advisory
- 2026-07-08 11:47 UTCEG score recompute
- 2026-07-08 11:47 UTCVendor advisory
- 2026-07-08 08:00 UTCEG score recompute
- 2026-07-08 08:00 UTCVendor advisory
- 2026-07-08 04:15 UTCEG score recompute
- 2026-07-08 04:15 UTCVendor advisory
- 2026-07-08 00:28 UTCEG score recompute
- 2026-07-08 00:28 UTCVendor advisory
- 2026-07-07 20:43 UTCEG score recompute
- 2026-07-07 20:43 UTCVendor advisory
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 16:57 UTCEG score recompute
- 2026-07-07 16:57 UTCVendor advisory
- 2026-07-07 13:12 UTCEG score recompute
- 2026-07-07 13:12 UTCVendor advisory
- 2026-07-07 09:26 UTCEG score recompute
- 2026-07-07 09:26 UTCVendor advisory
- 2026-07-07 05:41 UTCEG score recompute
- 2026-07-07 05:41 UTCVendor advisory
- 2026-07-07 01:53 UTCEG score recompute
- 2026-07-07 01:53 UTCVendor advisory
- 2026-07-06 22:07 UTCEG score recompute
- 2026-07-06 22:07 UTCVendor advisory
- 2026-07-06 18:21 UTCEG score recompute
- 2026-07-06 18:21 UTCVendor advisory
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 14:35 UTCEG score recompute
- 2026-07-06 14:35 UTCVendor advisory
- 2026-07-06 10:49 UTCEG score recompute
- 2026-07-06 10:49 UTCVendor advisory
- 2026-07-06 07:04 UTCEG score recompute
- 2026-07-06 07:04 UTCVendor advisory
- 2026-07-06 03:17 UTCEG score recompute
- 2026-07-06 03:17 UTCVendor advisory
- 2026-07-05 23:31 UTCEG score recompute
- 2026-07-05 23:31 UTCVendor advisory
- 2026-07-05 19:46 UTCEG score recompute
- 2026-07-05 19:46 UTCVendor advisory
- 2026-07-05 16:01 UTCEG score recompute
- 2026-07-05 16:01 UTCVendor advisory
- 2026-07-05 12:16 UTCEG score recompute
- 2026-07-05 12:16 UTCVendor advisory
- 2026-07-05 08:31 UTCEG score recompute
- 2026-07-05 08:31 UTCVendor advisory
- 2026-07-05 04:45 UTCEG score recompute
- 2026-07-05 04:45 UTCVendor advisory
- 2026-07-05 00:59 UTCEG score recompute
- 2026-07-05 00:59 UTCVendor advisory
- 2026-07-04 21:12 UTCEG score recompute
- 2026-07-04 21:12 UTCVendor advisory
- 2026-07-04 17:27 UTCEG score recompute
- 2026-07-04 17:27 UTCVendor advisory
- 2026-07-04 13:41 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (10 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Open source ↗GitHub PoCShcesama/cve-2023-4863-analysisFirst seen Jun 3, 2026
- GitHub PoCcaoweiquan322/NotEnoughFirst seen Dec 19, 2023
This tool calculates tricky canonical huffman histogram for CVE-2023-4863.
Open source ↗ - Open source ↗GitHub PoCLiveOverflow/webp-CVE-2023-4863First seen Dec 18, 2023
- Open source ↗GitHub PoChuiwen-yayaya/CVE-2023-4863First seen Nov 11, 2023
- GitHub PoCmurphysecurity/libwebp-checkerFirst seen Oct 5, 2023
A tool for finding vulnerable libwebp(CVE-2023-4863)
Open source ↗ - GitHub PoCGTGalaxi/ElectronVulnerableVersionFirst seen Sep 30, 2023
Find Electron Apps Vulnerable to CVE-2023-4863 / CVE-2023-5129
Open source ↗ - GitHub PoCOITApps/Find-VulnerableElectronVersionFirst seen Sep 29, 2023
Scans an executable and determines if it was wrapped in an Electron version vulnerable to the Chromium vulnerability CVE-2023-4863/ CVE-2023-5129
Open source ↗ - GitHub PoCtalbeerysec/BAD-WEBP-CVE-2023-4863First seen Sep 25, 2023
BAD-WEBP-CVE-2023-4863
Open source ↗ - Open source ↗GitHub PoCbbaranoff/CVE-2023-4863First seen Sep 25, 2023
- Open source ↗GitHub PoCmistymntncop/CVE-2023-4863First seen Sep 21, 2023
Frequently asked(6)
What is CVE-2023-4863?
When was CVE-2023-4863 disclosed?
Is CVE-2023-4863 actively exploited?
What is the CVSS score of CVE-2023-4863?
Which products are affected by CVE-2023-4863?
How do I remediate CVE-2023-4863?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-4863
Is Your Infrastructure Affected by CVE-2023-4863?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.