Google assigns a CVE for libwebp and gives it a 10.0 score

In case you missed the news, there’s a critical 0day in WebP (a heap buffer overflow in the libwepb library) floating about, which was initially issued as CVE-2023-4863 and assigned specifically to Google Chrome. At the time this happened, I wrote my blog post about it and vehemently tried to make it clear that it wasn’t just Chrome that was affected, but any software that uses libwebp to render WebP images.

That story exploded. 🤯