Skip to main content
Version: latest

CVE-2023-6704

CVE Details

Visit the official vulnerability details page for CVE-2023-6704 to learn more.

Initial Publication

05/17/2025

Last Update

05/19/2025

Third Party Dependency

libavif15

NIST CVE Summary

Use after free in libavif in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted image file. (Chromium security severity: High)

CVE Severity

8.8

Our Official Summary

This is a high-severity "use-after-free" vulnerability in the libavif library, used in image decoding pipelines (notably in Chromium-based browsers like Google Chrome and Microsoft Edge). The vulnerability allows remote attackers to cause heap corruption via specially crafted AVIF images, potentially leading to arbitrary code execution or denial of service.

This is reported on kubevirt ui which can be accessed from chrome browsers. Upgrade to the latest version of chrome where this vulnerability is fixed. Since this is specific to AVIF images loading of those images can be disable on chrome browser locally. Once fix is available upstream, we will adopt the same.

Status

Open

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.6.25⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact

Revision History

No revisions available.