Use after free in libwebp
Description
There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free/double-free in libwebp's ApplyFiltersAndEncode() can lead to memory corruption and potential code execution.
Vulnerability
The vulnerability is a use-after-free and double-free in the libwebp library, specifically in the ApplyFiltersAndEncode() function. The issue occurs when an attacker triggers a loop that frees best.bw and assigns best = trial pointer. A subsequent loop returns 0 due to an out-of-memory error in the VP8 encoder, leaving the pointer still assigned to trial, leading to a double free when AddressSanitizer detects it. Affected versions include libwebp prior to 1.3.1_p20230908 [1][2].
Exploitation
An attacker needs to provide a specially crafted WebP image that triggers the vulnerable code path. The exploitation requires no authentication; the victim must decode the malicious image using an application that relies on libwebp. The sequence involves the ApplyFiltersAndEncode() function being called in a loop, where memory is freed and then reused incorrectly due to an out-of-memory condition.
Impact
Successful exploitation could lead to memory corruption, potentially allowing an attacker to execute arbitrary code or cause a denial of service. The impact is similar to other memory safety issues in image processing libraries, with the worst-case scenario being remote code execution [2].
Mitigation
The fix is included in libwebp version 1.3.1_p20230908 and later. Users should upgrade to this version or later. There is no known workaround [2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
29- osv-coords27 versionspkg:rpm/almalinux/libwebppkg:rpm/almalinux/libwebp-develpkg:rpm/opensuse/libwebp&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/libwebp&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/libwebp&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/libwebp&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP4pkg:rpm/suse/libwebp&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/libwebp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP4
< 1.0.0-8.el8_7+ 26 more
- (no CPE)range: < 1.0.0-8.el8_7
- (no CPE)range: < 1.0.0-8.el8_7
- (no CPE)range: < 1.0.3-150200.3.5.1
- (no CPE)range: < 1.0.3-150200.3.5.1
- (no CPE)range: < 1.3.0-2.1
- (no CPE)range: < 102.10.1-150200.8.113.2
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 1.0.3-150200.3.5.1
- (no CPE)range: < 1.0.3-150200.3.5.1
- (no CPE)range: < 1.0.3-150200.3.5.1
- (no CPE)range: < 1.0.3-150200.3.5.1
- (no CPE)range: < 1.0.3-150200.3.5.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.5.0-150000.3.11.1
- (no CPE)range: < 0.5.0-150000.3.11.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 0.4.3-4.10.1
- (no CPE)range: < 102.10.1-150200.8.113.2
- (no CPE)range: < 102.10.1-150200.8.113.2
- Chromium/libwebpv5Range: 0.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.