What’s particularly fun about this compression technique is that the image includes not just Huffman compressed data, but also a table of statistical data needed for decompression. And hence, we have a Huffman table, a building block in the image compression and decompression. It supports lossy and lossless compression, and the compression format for lossless images uses Huffman coding among other techniques. Webp is Google’s pet image format, potentially replacing JPEG, PNG, and GIF. And to understand that, we have to understand libwebp does, and what a Huffman Table has to do with it. The problem seems to be an Out Of Bounds write in the BuildHuffmanTable() function of libwebp. The details have not been confirmed, but the timing suggests that this is the same bug as CVE-2023-4863, a Webp 0-day flaw in Chrome that is known to be exploited in the wild. One of the vulnerabilities used was CVE-2023-41064, a buffer overflow in the ImageIO library. There’s more details about exactly how that works, and a bit of a worrying revelation for Android users. Last week we covered the latest 0-day from NSO group, BLASTPASS.