CVE-2022-48622Out-of-bounds Write in Gdkpixbuf

CWE-787Out-of-bounds Write8 documents8 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 76.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gnome Gdk-pixbufGnome Gdkpixbuf
Timeline
PublishedJan 26
Latest updateJun 5

Description

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDgnome/gdkpixbuf2.42.10
Debiangnome/gdk-pixbuf< 2.42.2+dfsg-1+deb11u2+3

🔴Vulnerability Details

3
CVEList
CVE-2022-48622: In GNOME GdkPixbuf (aka gdk-pixbuf) through 22024-01-26
OSV
CVE-2022-48622: In GNOME GdkPixbuf (aka gdk-pixbuf) through 22024-01-26
GHSA
GHSA-2pj9-xmx5-6fv3: In GNOME GdkPixbuf (aka gdk-pixbuf) through 22024-01-26

📋Vendor Advisories

4
Ubuntu
GDK-PixBuf vulnerability2024-06-05
Red Hat
gnome: heap memory corruption on gdk-pixbuf2024-01-26
Microsoft
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10 the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani fi2024-01-09
Debian
CVE-2022-48622: gdk-pixbuf - In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated c...2022
CVE-2022-48622 — Out-of-bounds Write in Gnome Gdkpixbuf | cvebase