CVE-2018-25011

Vulnerability

A heap-based buffer overflow exists in the PutLE16() function in libwebp versions before 1.0.1, as identified in [1]. The issue occurs when writing 16-bit values into a buffer without sufficient bounds checking, potentially allowing an attacker to corrupt heap memory. Affected versions include all libwebp releases prior to 1.0.1, which was released on November 2, 2018 [3].

Exploitation

An attacker needs to craft a maliciously formed input file (e.g., WebP image) that triggers the vulnerable code path in PutLE16(). The vulnerability was discovered through fuzzing (oss-fuzz issue #9119) [1], indicating that it can be triggered by malformed data processed by libwebp. No authentication or special privileges are required; the attack vector is remote, exploiting the library via a crafted image.

Impact

Successful exploitation can lead to heap corruption, potentially resulting in denial of service (crash) or arbitrary code execution (RCE) in the context of the process using libwebp. The vulnerability could allow an attacker to overwrite adjacent heap memory, leading to control flow hijacking. The scope of compromise depends on the application using libwebp, but this is considered a high-severity issue due to the possibility of memory corruption.

Mitigation

Upgrade to libwebp version 1.0.1 or later, which includes the fix [1][3]. The upstream patch is available in the repository [2]. Red Hat Enterprise Linux 7 users received the fix via RHSA-2021:2260 [1]. If upgrading is not immediately possible, application-level input validation or sandboxing may reduce risk. No workaround is provided for the vulnerable function itself.