Mozilla has issued updates to its Firefox web browser and Thunderbird email client that fix a zero-day flaw being actively exploited.

Mozilla described the issue, labeled “CVE-2023-4863: Heap buffer overflow in libwebp,” in an advisory:

Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.

The following versions have the fix:

Firefox 117.0.1 Firefox ESR 102.15.1 Firefox ESR 115.2.1 Thunderbird 102.15.1 Thunderbird 115.2.2

As Mozilla points out, the issue is with the WebP library, which is also used by competing web browsers. This is no doubt what Mozilla is referencing when its says the issue is “being exploited in other products.”

Needless to say, all users should update immediately.