CVE-2020-36330 – CVE-2020-36330 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2020-36330?

CVE-2020-36330 has a CVSS score of 9.1 (CRITICAL). CVE-2020-36330 is an out-of-bounds read vulnerability in libwebp versions before 1.0.1, allowing attackers to read sensitive memory data or cause denial-of-service. It affects systems using libwebp for WebP image processing, such as web browsers, image editors, and applications that handle WebP files. The flaw can be triggered by processing a malicious WebP image.

📋 TL;DR

CVE-2020-36330 is an out-of-bounds read vulnerability in libwebp versions before 1.0.1, allowing attackers to read sensitive memory data or cause denial-of-service. It affects systems using libwebp for WebP image processing, such as web browsers, image editors, and applications that handle WebP files. The flaw can be triggered by processing a malicious WebP image.

💻 Affected Systems

Products:

libwebp
Google Chrome
Mozilla Firefox
ImageMagick
GIMP
other software using libwebp

Versions: libwebp versions before 1.0.1

Operating Systems: Linux, Windows, macOS, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or system that uses libwebp to decode WebP images is affected; default configurations are vulnerable if libwebp is installed and used.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Exploitation could lead to remote code execution (RCE) or information disclosure, compromising system integrity and confidentiality, potentially allowing attackers to steal data or take control of affected systems.

🟠

Likely Case

Most probable impact is denial-of-service (DoS) through application crashes or data leakage via memory reads, disrupting services or exposing sensitive information.

🟢

If Mitigated

With proper controls like network segmentation and least privilege, impact may be limited to isolated application crashes or minimal data exposure.

🌐 Internet-Facing: HIGH, as web applications or services processing user-uploaded WebP images are directly exposed to exploitation from untrusted sources.

🏢 Internal Only: MEDIUM, as internal systems may be vulnerable if they process WebP images from untrusted internal sources, but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires processing a malicious WebP image; public proof-of-concept code exists, making attacks feasible with minimal effort.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libwebp 1.0.1 or later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1956853

Restart Required: Yes

Instructions:

1. Update libwebp to version 1.0.1 or later using your package manager (e.g., 'sudo apt update && sudo apt upgrade libwebp' on Debian/Ubuntu). 2. Restart affected applications or services. 3. Verify the update with 'libwebp --version' or check package version.

🔧 Temporary Workarounds

Disable WebP image processing

all

Temporarily disable or block WebP image handling in applications to prevent exploitation.

Configure applications to reject WebP files or use content filters.

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems and limit attack surface.
Apply strict input validation and sanitization for image uploads to block malicious WebP files.

🔍 How to Verify

Check if Vulnerable:

Check libwebp version with 'libwebp --version' or 'dpkg -l | grep libwebp' on Linux; if version is below 1.0.1, it is vulnerable.

Check Version:

libwebp --version

Verify Fix Applied:

After patching, confirm libwebp version is 1.0.1 or higher using the same commands.

📡 Detection & Monitoring

Log Indicators:

Application crashes or errors related to libwebp or WebP processing in system logs.

Network Indicators:

Unusual spikes in image uploads or processing requests, especially for WebP files.

SIEM Query:

Example: 'source=*log* AND ("libwebp" OR "WebP") AND (error OR crash OR segfault)'

📊 Metadata

CVE ID: CVE-2020-36330

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: May 21, 2021

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2021/Jul/54 Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1956853 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0004/ Third Party Advisory
https://support.apple.com/kb/HT212601 Not Applicable
https://www.debian.org/security/2021/dsa-4930 Third Party Advisory
http://seclists.org/fulldisclosure/2021/Jul/54 Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1956853 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0004/ Third Party Advisory
https://support.apple.com/kb/HT212601 Not Applicable
https://www.debian.org/security/2021/dsa-4930 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36330, you might also want to check these: