CVE-2020-36328
CRITICALlibwebp < 1.0.1 - Heap-Based Buffer Overflow in WebPDecodeRGBInto
Title source: llmDescription
A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
References (7)
Core 7
Core References
Issue Tracking, Patch, Release Notes, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1956829
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4930
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT212601
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Jul/54
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211112-0001/
Scores
CVSS v3
9.8
EPSS
0.0053
EPSS Percentile
67.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-787
Status
published
Products (8)
apple/ipados
14.7
apple/iphone_os
14.7
debian/debian_linux
9.0
debian/debian_linux
10.0
netapp/ontap_select_deploy_administration_utility
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
webmproject/libwebp
< 1.0.1
Published
May 21, 2021
Tracked Since
Feb 18, 2026