cbcvebase.
CVE-2022-48622
published 2024-01-26

CVE-2022-48622: In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in…

PriorityP337high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.41%
33.2th percentile
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiangdk-pixbuf< gdk-pixbuf 2.42.10+dfsg-1+deb12u1 (bookworm)gdk-pixbuf 2.42.10+dfsg-1+deb12u1 (bookworm)
gnomegdk-pixbuf>= 0 < 2.42.2+dfsg-1+deb11u22.42.2+dfsg-1+deb11u2
gnomegdk-pixbuf>= 0 < 2.42.10+dfsg-1+deb12u12.42.10+dfsg-1+deb12u1
gnomegdk-pixbuf>= 0 < 2.42.12+dfsg-12.42.12+dfsg-1
gnomegdk-pixbuf>= 0 < 2.42.12+dfsg-12.42.12+dfsg-1
gnomegdkpixbuf<= 2.42.10
msrcazl3_gdk-pixbuf2_2.42.10-2_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_gdk-pixbuf2_2.40.0-6_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.