Denial of Service Vulnerability in GStreamer Matroska Demuxer
CVE-2022-1922

7.8HIGH

Key Information:

Vendor

Gstreamer Project

Status
Gstreamer
Vendor
CVE Published:
19 July 2022

What is CVE-2022-1922?

A vulnerability exists within the GStreamer Matroska demuxer, specifically in the gst_matroska_decompress_data function. This issue is triggered by an integer overflow during the decompression of MKV files using zlib. It can lead to a segmentation fault or, under certain conditions regarding the libc and operating system, may result in a serious memory corruption through a heap overwrite. The vulnerability's impact varies depending on whether the libc implementation utilizes mmap for large memory chunks and whether the underlying operating system supports this feature, which ultimately influences the vulnerability's severity.

Affected Version(s)

GStreamer 1.20.3

References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issu...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2022/08/msg0...
mailing-listx_refsource_MLIST
https://www.debian.org/security/2022/dsa-5204
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.