Google has released a Chrome security update that fixes 11 vulnerabilities, including a zero-day tracked as CVE-2023-4863 that the company said was under active exploitation. The flaw, initially described in some reports as an input validation issue, was later identified as a heap buffer overflow in the widely used libwebp image library, creating a path to arbitrary code execution through a specially crafted WebP image.
The patch landed in Chrome’s stable channel on Sept. 6, with Google warning that an exploit for CVE-2023-4863 existed in the wild. The bug stood out not just because it was Chrome’s fifth zero-day patched in 2023, but because libwebp is embedded well beyond the browser itself. That meant the risk extended to other Chromium-based software and any application that relied on the same image-processing component.
For users and defenders, the immediate concern was straightforward: malicious content could trigger the flaw simply by being rendered. In practical terms, visiting a booby-trapped site or opening content containing a crafted WebP image could be enough to compromise a target system. Browser zero-days are already high-priority patch items, but shared library bugs like this one tend to widen the blast radius across vendors and platforms.
The wider impact became clearer days later. CISA added CVE-2023-4863 to its Known Exploited Vulnerabilities catalog, signaling the flaw’s operational significance and requiring federal agencies to remediate it on deadline. Apple also issued emergency updates and said the vulnerability may have been exploited in attacks against specific targeted individuals, underscoring that this was not just a routine browser fix.
Organizations should treat the issue as more than a single Chrome patch cycle. Asset owners need to verify that Chrome is updated, then identify other software in their environment that uses libwebp. For individual users, enabling automatic updates and keeping browsers, operating systems, and security tools current remains the fastest way to reduce exposure. Users on untrusted networks may also want to pair patching with basic protections such as a VPN, though the patch itself is the primary fix.
