Aggregates CVE and security vulnerability intelligence across all webmproject-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk buffer overflow, vendor risk memory corruption, and vendor risk input validation and related problems; some flaws may lead to vendor impact memory corruption.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2018-6548 | A use-after-free issue was discovered in libwebm through 2018-02-02. If a Vp9HeaderParser was initialized once before, its property frame_ would not be changed because of code in vp9parser::Vp9HeaderParser::SetFrame. Its frame_ could be freed while the corresponding pointer would not be updated, leading to a dangling pointer. This is related to the function OutputCluster in webm_info.cc. | [email protected] | 9.8 | 1.41% | 2018-02-02 | 2026-06-16 |
| CVE-2018-6406 | The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in libwebm through 2018-01-30 does not validate the child_frame_length data obtained from a .webm file, which allows remote attackers to cause an information leak or a denial of service (heap-based buffer over-read and later out-of-bounds write), or possibly have unspecified other impact. | [email protected] | 8.8 | 2.04% | 2018-01-30 | 2026-06-16 |
| CVE-2016-9085 | Multiple integer overflows in libwebp allows attackers to have unspecified impact via unknown vectors. | [email protected] | 3.3 | 0.43% | 2017-02-03 | 2026-06-16 |
| CVE-2012-0823 | VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote attackers to cause a denial of service (application crash) via (1) unspecified "corrupt input" or (2) by "starting decoding from a P-frame," which triggers an out-of-bounds read, related to "the clamping of motion vectors in SPLITMV blocks". | [email protected] | 5.0 | 2.63% | 2012-02-23 | 2026-06-16 |
| CVE-2010-4203 | WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames. | [email protected] | 9.8 | 4.57% | 2010-11-05 | 2026-06-16 |