CVE-2020-36328

A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Published: May 21, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-36328
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
webmproject / libwebp	-	1.0.1
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
apple / ipados	14.7	14.7.x
apple / iphone_os	14.7	14.7.x

http://seclists.org/fulldisclosure/2021/Jul/54
https://bugzilla.redhat.com/show_bug.cgi?id=1956829
https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html
https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html
https://security.netapp.com/advisory/ntap-20211112-0001/
https://support.apple.com/kb/HT212601
https://www.debian.org/security/2021/dsa-4930

Vulnerability Database

289,697

CVE-2020-36328