This vulnerability was initially misidentified as a Chrome vulnerability, but Google has since assigned it to the open-source libwebp library used to encode and decode images in WebP format.

Source: https://techcrunch.com/2023/09/28/google-patches-zero-day-exploited-by-commercial-spyware-vendor/