CVE-2018-25013

Vulnerability

A heap-based buffer overflow was found in libwebp versions before 1.0.1 in the ShiftBytes() function within the incremental decoder (src/dec/idec_dec.c). This issue occurs when decoding specially crafted WebP images, leading to an out-of-bounds read. The vulnerability affects all libwebp versions prior to the fix committed in [2]. The bug is classified as an out-of-bounds read (CWE-125) and was introduced during incremental decoding logic changes [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a malicious WebP image to a target application that uses libwebp for decoding. No authentication or special privileges are required; the attack can be triggered remotely via user interaction (e.g., visiting a website or opening a crafted image file). The out-of-bounds read occurs due to a race condition in the decoder where not all threads are properly synchronized during DecodeRemaining() [1][2].

Impact

Successful exploitation allows an attacker to read heap memory beyond the allocated buffer, potentially leading to information disclosure of sensitive data. This could expose memory contents such as cryptographic keys, user credentials, or other private information processed by the application. The impact is limited to information disclosure; arbitrary code execution has not been demonstrated, but out-of-bounds reads can sometimes be chained with other vulnerabilities for more severe outcomes [1].

Mitigation

The fix was committed on July 20, 2018, and included in libwebp version 1.0.1. Users should upgrade to libwebp 1.0.1 or later. The fix ensures proper thread synchronization in DecodeRemaining() by waiting for all threads to complete before continuing [2]. Red Hat has issued updates for affected products (RHEL, Fedora) as noted in [1]. No workarounds are available; upgrading is the only mitigation. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.