CVE-2020-36332 – CVE-2020-36332 is a memory exhaustion vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-36332?

CVE-2020-36332 has a CVSS score of 7.5 (HIGH). CVE-2020-36332 is a memory exhaustion vulnerability in libwebp library versions before 1.0.1. When processing specially crafted WebP images, libwebp allocates excessive memory, potentially causing denial of service through application crashes or system resource exhaustion. This affects any application or service that uses vulnerable libwebp versions for WebP image processing.

📋 TL;DR

CVE-2020-36332 is a memory exhaustion vulnerability in libwebp library versions before 1.0.1. When processing specially crafted WebP images, libwebp allocates excessive memory, potentially causing denial of service through application crashes or system resource exhaustion. This affects any application or service that uses vulnerable libwebp versions for WebP image processing.

💻 Affected Systems

Products:

libwebp
Applications using libwebp (Chrome, Firefox, various image processing tools)
Operating systems with vulnerable libwebp packages

Versions: libwebp versions before 1.0.1

Operating Systems: Linux distributions with vulnerable libwebp packages, Windows applications using vulnerable libwebp, macOS applications using vulnerable libwebp

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that processes WebP images using the vulnerable libwebp library is affected. This includes web browsers, image editors, and server-side image processing applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through memory exhaustion leading to application crashes, system instability, or denial of service across affected systems.

🟠

Likely Case

Application crashes or hangs when processing malicious WebP images, causing temporary service disruption.

🟢

If Mitigated

Limited impact with proper memory limits and monitoring; potential isolated application crashes without system-wide effects.

🌐 Internet-Facing: MEDIUM - Web applications processing user-uploaded images could be targeted, but requires specific malicious image upload.

🏢 Internal Only: LOW - Requires internal users to process malicious images; less likely to be exploited intentionally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting a malicious WebP image that triggers the memory allocation issue. The vulnerability is publicly documented with proof-of-concept examples available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libwebp 1.0.1 and later

Vendor Advisory: https://security.netapp.com/advisory/ntap-20211104-0004/

Restart Required: Yes

Instructions:

1. Update libwebp to version 1.0.1 or later using your system package manager. 2. For Linux: Use 'sudo apt update && sudo apt upgrade libwebp' (Debian/Ubuntu) or 'sudo yum update libwebp' (RHEL/CentOS). 3. Restart affected applications or services. 4. For embedded applications, recompile with patched libwebp library.

🔧 Temporary Workarounds

Disable WebP processing

all

Temporarily disable WebP image processing in applications if possible

Application-specific configuration changes required

Implement memory limits

linux

Set memory limits for applications processing images

ulimit -v [memory_limit_in_kb] (Linux)
Use cgroups or container memory limits

🧯 If You Can't Patch

Implement strict input validation for image uploads and reject suspicious WebP files
Deploy memory monitoring and alerting for applications processing images to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check libwebp version: 'libwebp --version' or 'dpkg -l | grep libwebp' (Debian) or 'rpm -qa | grep libwebp' (RHEL)

Check Version:

libwebp --version 2>/dev/null || dpkg -l libwebp* 2>/dev/null || rpm -q libwebp 2>/dev/null

Verify Fix Applied:

Verify libwebp version is 1.0.1 or later using version check commands

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory allocation errors
High memory usage spikes in image processing applications
Kernel OOM (Out of Memory) killer logs

Network Indicators:

Unusual uploads of WebP images to web applications
Multiple failed image processing requests

SIEM Query:

source="application.logs" AND ("out of memory" OR "malloc failed" OR "segmentation fault") AND process="*image*"

📊 Metadata

CVE ID: CVE-2020-36332

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: May 21, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1956868 Issue Tracking,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0004/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4930 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1956868 Issue Tracking,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0004/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4930 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36332, you might also want to check these: