What is the CVSS score of CVE-2022-1921?

CVE-2022-1921 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Debian Linux are affected by CVE-2022-1921?

Organizations using Integer overflow in avidemux element in gst_avi_demux_invert function which face notable risk from CVE-2022-1921, a integer overflow vulnerability rated CVSS 7.8.

Is there a public PoC exploit available for CVE-2022-1921?

Yes, a public proof-of-concept exploit is available for CVE-2022-1921. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2022-1921?

Within 7 days: Identify all affected systems running avidemux element in gst_avi_demux_invert function which allo and apply vendor patches promptly. Monitor vendor channels for patch availability.

Debian Linux CVE-2022-1921

HIGH

Integer Overflow or Wraparound (CWE-190)

2022-07-19 secalert@redhat.com

RCE Debian Linux Gstreamer

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

PoC Detected

Mar 17, 2026 - 15:52 vuln.today

Public exploit code

CVE Published

Jul 19, 2022 - 20:15 nvd

HIGH 7.8

DescriptionNVD

Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.

AnalysisAI

An integer overflow vulnerability in GStreamer's AVI demux element allows attackers to trigger a heap overwrite when parsing malicious AVI files, potentially leading to arbitrary code execution. The vulnerability affects GStreamer on Debian Linux systems and requires user interaction to exploit (opening a malicious file). A public proof-of-concept exploit is available, though real-world exploitation remains low with an EPSS score of 0.06%.

Technical ContextAI

The vulnerability resides in the gst_avi_demux_invert function within GStreamer, an open-source multimedia framework used for creating streaming media applications. According to the CPE data, the flaw affects all versions of GStreamer (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) as well as Debian Linux 10.0 and 11.0. The root cause is CWE-190 (Integer Overflow or Wraparound), where arithmetic operations on integer values produce results that exceed the maximum size the integer type can represent, leading to unexpected behavior and memory corruption.

RemediationAI

Apply the security updates provided by Debian through their official channels - DSA-5204 for Debian 11 (Bullseye) and the LTS announcement for Debian 10 (Buster). Users should update their GStreamer packages using standard package management commands (apt update && apt upgrade). As a temporary mitigation until patching is complete, avoid processing untrusted AVI files with GStreamer-based applications and consider implementing file validation or sandboxing for media processing workflows. The upstream fix is tracked at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224.

CVE-2022-1921 vulnerability details – vuln.today

Back

Debian Linux CVE-2022-1921

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code