Google recently released a Chrome update that addressed a security issue reported by Apple. The issue, labeled CVE-2023-4863, was a heap buffer overflow in the WebP image library. This means that an exploit for this vulnerability was being used in the wild. A connection was made between this vulnerability and an earlier one found on an iPhone belonging to a civil society organization employee in Washington DC. The exploit involved a “zero-click” vulnerability in iMessage, which allowed the deployment of the Pegasus spyware. The technical analysis of CVE-2023-4863 reveals how the vulnerability worked and the steps taken to trigger it. Overall, the process involved in uncovering this bug was complex and required extensive analysis.
https://blog.isosceles.com/the-webp-0day/