CVE-2022-48622
published 2024-01-26CVE-2022-48622: In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in…
PriorityP337high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.41%
33.2th percentile
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gdk-pixbuf | < gdk-pixbuf 2.42.10+dfsg-1+deb12u1 (bookworm) | gdk-pixbuf 2.42.10+dfsg-1+deb12u1 (bookworm) |
| gnome | gdk-pixbuf | >= 0 < 2.42.2+dfsg-1+deb11u2 | 2.42.2+dfsg-1+deb11u2 |
| gnome | gdk-pixbuf | >= 0 < 2.42.10+dfsg-1+deb12u1 | 2.42.10+dfsg-1+deb12u1 |
| gnome | gdk-pixbuf | >= 0 < 2.42.12+dfsg-1 | 2.42.12+dfsg-1 |
| gnome | gdk-pixbuf | >= 0 < 2.42.12+dfsg-1 | 2.42.12+dfsg-1 |
| gnome | gdkpixbuf | <= 2.42.10 | — |
| msrc | azl3_gdk-pixbuf2_2.42.10-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_gdk-pixbuf2_2.40.0-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GDK-PixBuf vulnerability
vendor_ubuntu·2024-06-05
CVE-2022-48622 GDK-PixBuf vulnerability
Title: GDK-PixBuf vulnerability
Summary: GDK-PixBuf could be made to crash or run programs as
your login if it opened a specially crafted file.
Pedro Ribeiro and Vitor Pedreira discovered that the GDK-PixBuf
library did not properly handle certain ANI files. An attacker
could use this flaw to cause GDK-PixBuf to crash, resulting in
a denial of service, or to possibly execute arbitrary code.
Instructions: After a standard system update you need to restart your session to make all
the necessary changes.
Red Hat
gnome: heap memory corruption on gdk-pixbuf
vendor_redhat·2024-01-26·CVSS 7.8
CVE-2022-48622 [HIGH] CWE-787 gnome: heap memory corruption on gdk-pixbuf
gnome: heap memory corruption on gdk-pixbuf
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
A flaw was found in GNOME's GdkPixbuf library, a library used to load image data in various formats used by GDK for handling graphical assets. This issue occurs when loading a crafted ANI (animated cursor file) file, which may lead to a heap based out-of-bounds write, causing memory corruption. When a successful attack is in place, it can lead to a denial of service
Microsoft
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10 the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani fi
vendor_msrc·2024-01-09·CVSS 7.8
CVE-2022-48622 [HIGH] CWE-787 In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10 the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani fi
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10 the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparen
Debian
CVE-2022-48622: gdk-pixbuf - In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated c...
vendor_debian·2022·CVSS 7.8
CVE-2022-48622 [HIGH] CVE-2022-48622: gdk-pixbuf - In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated c...
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
Scope: local
bookworm: resolved (fixed in 2.42.10+dfsg-1+deb12u1)
bullseye: resolved (fixed in 2.42.2+dfsg-1+deb11u2)
forky: resolved (fixed in 2.42.12+dfsg-1)
sid: resolved (fixed in 2.42.12+dfsg-1)
trixie: resolved (fixed in 2.42.12+dfsg-1)
OSV
CVE-2022-48622: In GNOME GdkPixbuf (aka gdk-pixbuf) through 2
osv·2024-01-26·CVSS 7.8
CVE-2022-48622 [HIGH] CVE-2022-48622: In GNOME GdkPixbuf (aka gdk-pixbuf) through 2
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
GHSA
GHSA-2pj9-xmx5-6fv3: In GNOME GdkPixbuf (aka gdk-pixbuf) through 2
ghsa_unreviewed·2024-01-26
CVE-2022-48622 [HIGH] CWE-787 GHSA-2pj9-xmx5-6fv3: In GNOME GdkPixbuf (aka gdk-pixbuf) through 2
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-01-26
Published