How to fix CVE-2022-1921?

Within 7 days: Identify all affected systems running avidemux element in gst_avi_demux_invert function which allo and apply vendor patches promptly. Monitor vendor channels for patch availability.

Is Debian Linux affected by CVE-2022-1921?

Organizations using Integer overflow in avidemux element in gst_avi_demux_invert function which face notable risk from CVE-2022-1921, a integer overflow vulnerability rated CVSS 7.8. Exploitation could allow attackers to corrupt memory, crash the application, or potentially execute arbitrary code.

CVE-2022-1921

HIGH

2022-07-19 [email protected]

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

PoC Detected

Mar 17, 2026 - 15:52 vuln.today

Public exploit code

CVE Published

Jul 19, 2022 - 20:15 nvd

HIGH 7.8

Description

Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.

Analysis

An integer overflow vulnerability in GStreamer's AVI demux element allows attackers to trigger a heap overwrite when parsing malicious AVI files, potentially leading to arbitrary code execution. The vulnerability affects GStreamer on Debian Linux systems and requires user interaction to exploit (opening a malicious file). A public proof-of-concept exploit is available, though real-world exploitation remains low with an EPSS score of 0.06%.

Technical Context

The vulnerability resides in the gst_avi_demux_invert function within GStreamer, an open-source multimedia framework used for creating streaming media applications. According to the CPE data, the flaw affects all versions of GStreamer (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) as well as Debian Linux 10.0 and 11.0. The root cause is CWE-190 (Integer Overflow or Wraparound), where arithmetic operations on integer values produce results that exceed the maximum size the integer type can represent, leading to unexpected behavior and memory corruption.

Affected Products

GStreamer multimedia framework in all versions is affected by this integer overflow vulnerability, specifically impacting systems running Debian Linux 10.0 (Buster) and 11.0 (Bullseye) as confirmed by CPE entries cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* and cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*. Debian has released security advisories DSA-5204 for stable releases and separate guidance for long-term support versions, available at https://www.debian.org/security/2022/dsa-5204 and https://lists.debian.org/debian-lts-announce/2022/08/msg00001.html respectively.

Remediation

Apply the security updates provided by Debian through their official channels - DSA-5204 for Debian 11 (Bullseye) and the LTS announcement for Debian 10 (Buster). Users should update their GStreamer packages using standard package management commands (apt update && apt upgrade). As a temporary mitigation until patching is complete, avoid processing untrusted AVI files with GStreamer-based applications and consider implementing file validation or sandboxing for media processing workflows. The upstream fix is tracked at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +39

POC: +20

CVE-2022-1921 vulnerability details – vuln.today

Back

CVE-2022-1921

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2022-1921

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code