Denial of Service Vulnerability in GStreamer Matroska Plugin
CVE-2022-1925

7.8HIGH

Key Information:

Vendor

Gstreamer Project

Status
Gstreamer
Vendor
CVE Published:
19 July 2022

What is CVE-2022-1925?

This vulnerability resides in the GStreamer Matroska plugin due to an integer overflow in the matroskaparse element during mkv demuxing. Specifically, a heap overflow can occur within the gst_matroska_decompress_data function when using HEADERSTRIP decompression. Although the matroskademux element enforces certain restrictions on chunk sizes to prevent overflow exploitation, the matroskaparse element lacks suitable size checks, potentially allowing attackers to induce a Denial of Service in affected systems.

Affected Version(s)

GStreamer 1.20.3

References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issu...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2022/08/msg0...
mailing-listx_refsource_MLIST
https://www.debian.org/security/2022/dsa-5204
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.