Google Chrome < 116.0.5845.188 — RCE
Simply viewing a malicious WebP image in Chrome can give an attacker complete control of your server.
An attacker who can get you to visit a malicious web page — or who has compromised a website you trust — can serve a malicious WebP image that triggers this overflow. No clicks required beyond navigation to the page. Once triggered, the attacker can run any code they choose on your server as the user running Chrome.
Google Chrome uses the libwebp library to process WebP-format images. WebP is a modern image format used widely on the web — any Chrome browser loading a page with WebP images uses this library. Versions prior to 116.0.5845.188 contain a heap buffer overflow in this library that can be triggered by a malicious image.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Affected OS versions
A security researcher browsing an internal web application from a server session opens a page that an attacker has injected with a malicious WebP image. Within seconds, the attacker has shell access to the server under the browser's user context. This vulnerability was weaponised by commercial spyware vendors before Google patched it.
Manual remediation steps
⏱ 10 minutesCheck Current Version
(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon').version
Update Chrome
Option 1 — Chrome Menu
Option 2 — Manual Download
Verification
(Get-ItemProperty 'HKLM:\SOFTWARE\Google\Chrome\BLBeacon').version
# Must show 116.0.5845.188 or later
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References