Description
A use-after-free issue was discovered in libwebm through 2018-02-02. If a Vp9HeaderParser was initialized once before, its property frame_ would not be changed because of code in vp9parser::Vp9HeaderParser::SetFrame. Its frame_ could be freed while the corresponding pointer would not be updated, leading to a dangling pointer. This is related to the function OutputCluster in webm_info.cc.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md
Permissions Required x_refsource_misc
https://bugs.chromium.org/p/webm/issues/detail?id=1493
Scores
CVSS v3
9.8
EPSS
0.0053
EPSS Percentile
67.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (1)
webmproject/libwebm
< 1.0.0.27
Published
Feb 02, 2018
Tracked Since
Feb 18, 2026