How to fix CVE-2022-1920?

Within 7 days: Identify all affected systems running matroskademux element in gst_matroska_demux_add_wvpk_header and apply vendor patches promptly. If patching is delayed, consider network segmentation to limit exposure.

Is Gstreamer affected by CVE-2022-1920?

CVE-2022-1920 presents notable security risk, a heap-based buffer overflow vulnerability rated CVSS 7.8. Exploitation could allow attackers to corrupt memory, crash the application, or potentially execute arbitrary code.

CVE-2022-1920

HIGH

2022-07-19 [email protected]

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

PoC Detected

Mar 17, 2026 - 15:52 vuln.today

Public exploit code

CVE Published

Jul 19, 2022 - 20:15 nvd

HIGH 7.8

Description

Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.

Analysis

An integer overflow vulnerability in the GStreamer multimedia framework's matroska demuxer allows heap memory corruption when parsing specially crafted Matroska video files. The vulnerability affects GStreamer versions across multiple Linux distributions and can lead to arbitrary code execution through heap overwrite, requiring only local access and user interaction to open a malicious file. A public proof-of-concept exploit is available, though real-world exploitation remains relatively low with an EPSS score of 0.07%.

Technical Context

The vulnerability resides in the matroskademux element of GStreamer, specifically in the gst_matroska_demux_add_wvpk_header function that processes Matroska (MKV) container files. According to the CPE data, this affects the core GStreamer library (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) as well as specific implementations in Debian Linux 10.0 and 11.0. The root cause is CWE-122 (Heap-based Buffer Overflow), where an integer overflow during header parsing calculations leads to insufficient memory allocation, allowing subsequent operations to write beyond allocated heap boundaries.

Affected Products

GStreamer multimedia framework in all versions prior to the patched releases is vulnerable, as indicated by the CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. Specifically confirmed affected are Debian Linux 10.0 (Buster) and Debian Linux 11.0 (Bullseye) distributions. The vulnerability details and patches are documented in Debian Security Advisory DSA-5204 available at https://www.debian.org/security/2022/dsa-5204 and the upstream issue at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226.

Remediation

Apply the security updates provided by your Linux distribution immediately - Debian users should install the patches referenced in DSA-5204 at https://www.debian.org/security/2022/dsa-5204 and the LTS announcement at https://lists.debian.org/debian-lts-announce/2022/08/msg00001.html. For systems that cannot be immediately patched, implement compensating controls by restricting access to untrusted Matroska files and using sandboxed media players or containers when processing video files from unknown sources. Monitor the upstream GStreamer issue at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 for additional patch information.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +39

POC: +20

CVE-2022-1920 vulnerability details – vuln.today

Back

CVE-2022-1920

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2022-1920

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code