The latest vulnerability causing headaches across the world is CVE-2023-4863, issued by Google Chrome and described as “Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page”. This same CVE is cited by a number of other vendors as they are impacted as well. But, is this really a Google Chrome vulnerability?
The fix for this issue is not actually part of Chrome or even Chromium, but rather the libwebp library, which is used by Chromium, and a number of other projects. The library is maintained by the WebM Project, which is a joint effort between Google and a number of other companies. Firefox, for example, uses also uses libwebp, and is impacted by this vulnerability - though they don’t mention Chrome in their advisory, but they do mention Chrome’s CVE.
Every product mentioned in that chart (and many others) have found themselves impacted to some degree by this vulnerability in libwebp, yet the defining CVE for the vulnerability was issued by the Google Chrome CNA as a Chrome vulnerability, instead of targetting either of the upstream sources. There are countless applications that use Electron, or Chromium, or libwebp, and they are all impacted by this vulnerability, yet the CVE is tied to Chrome. Some vendors have opted to cite the Chrome CVE, some have issued updates without actually explaining what they are patching, and some may end up issuing their own CVEs. This is less than ideal.