CVE-2020-36329 – CVE-2020-36329 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-36329?

CVE-2020-36329 has a CVSS score of 9.8 (CRITICAL). CVE-2020-36329 is a use-after-free vulnerability in libwebp that allows attackers to execute arbitrary code or cause denial of service. This affects any application using vulnerable versions of libwebp for WebP image processing, including web browsers, image editors, and operating system components. The vulnerability can be triggered by processing a malicious WebP image.

📋 TL;DR

CVE-2020-36329 is a use-after-free vulnerability in libwebp that allows attackers to execute arbitrary code or cause denial of service. This affects any application using vulnerable versions of libwebp for WebP image processing, including web browsers, image editors, and operating system components. The vulnerability can be triggered by processing a malicious WebP image.

💻 Affected Systems

Products:

libwebp
Google Chrome
Mozilla Firefox
ImageMagick
GIMP
various Linux distributions
applications using libwebp

Versions: libwebp versions before 1.0.1

Operating Systems: Linux, Windows, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Any application linking against vulnerable libwebp versions is affected. Web browsers are particularly high-risk due to automatic image processing.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes (denial of service) or limited code execution within the affected application's context.

🟢

If Mitigated

Application crashes without code execution if memory protections like ASLR are effective.

🌐 Internet-Facing: HIGH - Web applications processing user-uploaded images or browsers rendering web content are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications processing WebP images could be exploited via phishing or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious WebP image. Public proof-of-concept demonstrates crash/DoS; weaponized exploits likely exist given high CVSS score.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libwebp 1.0.1 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1956843

Restart Required: Yes

Instructions:

1. Update libwebp to version 1.0.1 or later. 2. Update all applications using libwebp (browsers, image tools). 3. Restart affected applications/services. 4. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade libwebp' (Debian/Ubuntu) or 'sudo yum update libwebp' (RHEL/CentOS).

🔧 Temporary Workarounds

Disable WebP image processing

all

Configure applications to reject or not process WebP images

Application-specific configuration required

Memory protection hardening

linux

Enable ASLR and other memory protections to reduce exploit success

sysctl -w kernel.randomize_va_space=2
echo 2 > /proc/sys/kernel/randomize_va_space

🧯 If You Can't Patch

Network segmentation: Isolate systems using vulnerable libwebp from untrusted networks
Application control: Restrict which applications can process WebP images using application whitelisting

🔍 How to Verify

Check if Vulnerable:

Check libwebp version: 'dpkg -l | grep libwebp' (Debian/Ubuntu) or 'rpm -qa | grep libwebp' (RHEL/CentOS). Version should be >=1.0.1.

Check Version:

libwebp-config --version 2>/dev/null || echo 'libwebp-config not found'

Verify Fix Applied:

Verify updated version is installed and test with known malicious WebP samples if available.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults in libwebp
Unexpected process termination when processing images

Network Indicators:

Unusual outbound connections from image processing applications
Large volumes of WebP image requests to web applications

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "SIGSEGV") AND "libwebp"

📊 Metadata

CVE ID: CVE-2020-36329

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 21, 2021

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2021/Jul/54 Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1956843 Issue Tracking,Patch,Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20211112-0001/ Third Party Advisory
https://support.apple.com/kb/HT212601 Third Party Advisory
https://www.debian.org/security/2021/dsa-4930 Third Party Advisory
http://seclists.org/fulldisclosure/2021/Jul/54 Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1956843 Issue Tracking,Patch,Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20211112-0001/ Third Party Advisory
https://support.apple.com/kb/HT212601 Third Party Advisory
https://www.debian.org/security/2021/dsa-4930 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36329, you might also want to check these: