CVE-2018-25012
Description
A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in libwebp before 1.0.1 in GetLE24() can lead to out-of-bounds read via crafted VP8X chunk.
Vulnerability
A heap-based buffer overflow exists in libwebp versions before 1.0.1, specifically in the GetLE24() function. The issue resides in the muxread.c file when parsing the VP8X chunk without properly checking available size, leading to a read overflow. Affected versions include all releases prior to 1.0.1.
Exploitation
An attacker can exploit this vulnerability by supplying a crafted WebP file with a malformed VP8X chunk to any application that uses the libwebp library to parse WebP images. The attack requires no special privileges; user interaction may be required to open the malicious file.
Impact
Successful exploitation results in an out-of-bounds heap memory read, which can lead to information disclosure or potentially a crash (denial of service). The attacker can read beyond the allocated buffer, possibly leaking sensitive data.
Mitigation
The issue is fixed in libwebp version 1.0.1 with commit 95fd65070662e01cc9170c4444f5c0859a710097 [2]. Red Hat Enterprise Linux 8 addressed it via RHSA-2021:4231 [1]. Users should update to the patched version. No workaround is available other than applying the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
36- libwebp/libwebpdescription
- osv-coords35 versionspkg:rpm/almalinux/libwebppkg:rpm/almalinux/libwebp-develpkg:rpm/opensuse/libwebp&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/libwebp&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/libwebp&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP2pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP3pkg:rpm/suse/libwebp&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/libwebp&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/libwebp&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 1.0.0-5.el8+ 34 more
- (no CPE)range: < 1.0.0-5.el8
- (no CPE)range: < 1.0.0-5.el8
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.5.0-3.5.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
- (no CPE)range: < 0.4.3-4.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- bugs.chromium.org/p/oss-fuzz/issues/detailmitrex_refsource_MISC
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- chromium.googlesource.com/webm/libwebp/+/95fd65070662e01cc9170c4444f5c0859a710097mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.