Heap Memory Corruption in GNOME GdkPixbuf for Windows Animated Cursors
CVE-2022-48622

7.8HIGH

Key Information:

Vendor: Gnome
Status: Gdkpixbuf
Vendor: CVE Published:; 26 January 2024

Summary

The vulnerability in GNOME GdkPixbuf arises from improper handling of the ANI (Windows animated cursor) file format, particularly within the ani_load_chunk function located in io-ani.c. When GdkPixbuf processes crafted .ani files, it may experience heap memory corruption leading to potential overwriting of heap metadata. This flaw allows an attacker to exploit the vulnerability to execute arbitrary code or cause a denial of service. The issue primarily stems from how gdk_pixbuf_set_option function deals with malformed cursor files, emphasizing the need for stringent input validation.

References

https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 26, 2024
Vulnerability Reserved
Jan 26, 2024