Intel/AIKIDO-2024-10099
opencv-python
AIKIDO-2024-10099
opencv-python is vulnerable to Heap-based Buffer Overflow
Heap-based Buffer OverflowCVE-2023-4863 Published May 22, 2024
95
Critical Risk
This Affects:
opencv-python3.1.0.0 - 4.8.1.76
Fixed in 4.8.1.78Are you affected? Scan for Free
TL;DR
Affected versions of the opencv-python-headless library are vulnerable to heap-based buffer overflow. It allows a remote attacker to perform an out-of-bounds memory write via a crafted WebP file.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range. This is only exploitable if 'the color_cache_bits' value defines which size of the HuffmanCode buffer to use.
Background info
opencv-python is vulnerable to Heap-based Buffer Overflow in versions 3.1.0.0 - 4.8.1.76.
How to fix this
Upgrade the opencv-python-headless library to the patch version.
Links
GitHub Releases
Other
openwall.com/lists/oss-security/2023/09/21/4http://www.openwall.com/lists/oss-security/2023/09/21/4
openwall.com/lists/oss-security/2023/09/22/1http://www.openwall.com/lists/oss-security/2023/09/22/1
openwall.com/lists/oss-security/2023/09/22/3http://www.openwall.com/lists/oss-security/2023/09/22/3
openwall.com/lists/oss-security/2023/09/22/4http://www.openwall.com/lists/oss-security/2023/09/22/4
openwall.com/lists/oss-security/2023/09/22/5http://www.openwall.com/lists/oss-security/2023/09/22/5
openwall.com/lists/oss-security/2023/09/22/6http://www.openwall.com/lists/oss-security/2023/09/22/6
openwall.com/lists/oss-security/2023/09/22/7http://www.openwall.com/lists/oss-security/2023/09/22/7
openwall.com/lists/oss-security/2023/09/22/8http://www.openwall.com/lists/oss-security/2023/09/22/8
openwall.com/lists/oss-security/2023/09/26/1http://www.openwall.com/lists/oss-security/2023/09/26/1
openwall.com/lists/oss-security/2023/09/26/7http://www.openwall.com/lists/oss-security/2023/09/26/7
openwall.com/lists/oss-security/2023/09/28/1http://www.openwall.com/lists/oss-security/2023/09/28/1
openwall.com/lists/oss-security/2023/09/28/2http://www.openwall.com/lists/oss-security/2023/09/28/2
openwall.com/lists/oss-security/2023/09/28/4http://www.openwall.com/lists/oss-security/2023/09/28/4
adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/
blog.isosceles.com/the-webp-0day/https://blog.isosceles.com/the-webp-0day/
bugzilla.suse.com/show_bug.cgi?id=1215231https://bugzilla.suse.com/show_bug.cgi?id=1215231
chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.htmlhttps://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
crbug.com/1479274https://crbug.com/1479274
en.bandisoft.com/honeyview/history/https://en.bandisoft.com/honeyview/history/
lists.debian.org/debian-lts-announce/2023/09/msg00015.htmlhttps://lists.debian.org/debian-lts-announce/2023/09/msg00015.html
lists.debian.org/debian-lts-announce/2023/09/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2023/09/msg00016.html
lists.debian.org/debian-lts-announce/2023/09/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/09/msg00017.html
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
news.ycombinator.com/item?id=37478403https://news.ycombinator.com/item?id=37478403
security-tracker.debian.org/tracker/CVE-2023-4863https://security-tracker.debian.org/tracker/CVE-2023-4863
security.gentoo.org/glsa/202309-05https://security.gentoo.org/glsa/202309-05
security.gentoo.org/glsa/202401-10https://security.gentoo.org/glsa/202401-10
security.netapp.com/advisory/ntap-20230929-0011/https://security.netapp.com/advisory/ntap-20230929-0011/
sethmlarson.dev/security-developer-in-residence-weekly-report-16https://sethmlarson.dev/security-developer-in-residence-weekly-report-16
stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
bentley.com/advisories/be-2023-0001/https://www.bentley.com/advisories/be-2023-0001/
bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/
debian.org/security/2023/dsa-5496https://www.debian.org/security/2023/dsa-5496
debian.org/security/2023/dsa-5497https://www.debian.org/security/2023/dsa-5497
debian.org/security/2023/dsa-5498https://www.debian.org/security/2023/dsa-5498
mozilla.org/en-US/security/advisories/mfsa2023-40/https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
vicarius.io/vsociety/posts/zero-day-webp-vulnerability-cve-2023-4863https://www.vicarius.io/vsociety/posts/zero-day-webp-vulnerability-cve-2023-4863
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4863https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4863
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
Resources
Industries
Use Cases
Compare
© 2026 Aikido Security BV | BE0792914919
Keizer Karelstraat 15, 9000, Ghent, Belgium
95 Third St, 2nd Fl, San Francisco, CA 94103, US
Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK
Ghent, Belgium | San Francisco, US
SOC 2Compliant
ISO 27001Compliant