VYPR
← All advisories
Unrated severityNVD Advisory· Published May 21, 2021· Updated Aug 5, 2024

CVE-2018-25014

CVE-2018-25014

Description

A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

libwebp before 1.0.1 has a use of uninitialized value in ReadSymbol(), potentially leading to information disclosure or crash.

Vulnerability

A use of uninitialized value exists in the ReadSymbol() function of libwebp versions before 1.0.1. This occurs when processing specially crafted WebP images, where a symbol is read without proper initialization, leading to undefined behavior.

Exploitation

An attacker can exploit this by providing a malicious WebP image that triggers the uninitialized read in ReadSymbol(). No special privileges are required, as the attack vector is through image processing libraries that use libwebp.

Impact

Successful exploitation could lead to disclosure of uninitialized heap memory, potentially leaking sensitive information, or causing a denial of service via crash. The exact impact depends on how the uninitialized value is used.

Mitigation

The issue is fixed in libwebp version 1.0.1 [1]. The upstream patch is available in the Chromium repository [1]. Red Hat has addressed this vulnerability in Red Hat Enterprise Linux 7 (RHSA-2021:2328) and 8 (RHSA-2021:4231) [1]. Users should update to the latest version.

References
  1. use of uninitialized value in ReadSymbol()

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.