UPDATE (September 28, 2023, 03:15 a.m. ET): The CVE-2023-5129 ID has been either rejected or withdrawn by the CVE Numbering Authority (Google), since it’s a duplicate of CVE-2023-4863. The entry for the latter has been broadened to include its impact to the libwebp library. The Chrome zero-day exploited in the wild and patched by Google a few weeks ago has a new ID (CVE-2023-5129) and a description that tells the whole story: the vulnerability is … Continue reading Google “confirms” that exploited Chrome zero-day is actually in libwebp (CVE-2023-5129)