CVE-2022-1923
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.
Analysis
An integer overflow vulnerability in GStreamer's matroska demuxer can cause denial of service through segmentation faults or potentially allow heap memory corruption when processing malformed MKV files with bzip compression. The vulnerability affects GStreamer versions prior to patches released in 2022, with proof-of-concept exploits publicly available and an EPSS score of 0.04% indicating low but non-zero exploitation probability. While not currently in CISA's KEV catalog, the vulnerability requires only local access with user interaction to exploit, achieving high impact across confidentiality, integrity, and availability.
Technical Context
The vulnerability exists in the matroskademux element of GStreamer, a popular multimedia framework, specifically in the bzip decompression function used when parsing MKV (Matroska) container files. According to the CPE data, all versions of GStreamer (cpe:2.3:a:gstreamer:gstreamer:*) are affected, along with Debian Linux 10.0 and 11.0. The root cause is CWE-122 (Heap-based Buffer Overflow), where an integer overflow during memory reallocation can lead to writing beyond allocated heap boundaries. The security impact varies based on the libc implementation and operating system memory management capabilities - systems using mmap for large allocations will experience only denial of service, while others may suffer heap corruption.
Affected Products
GStreamer multimedia framework versions prior to the 2022 security patches are vulnerable, as indicated by the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. Debian Linux distributions are specifically affected, with Debian 10.0 (Buster) and Debian 11.0 (Bullseye) requiring updates as documented in Debian Security Advisory DSA-5204 and the Debian LTS security announcements. The vulnerability was reported by Red Hat's security team ([email protected]) and affects the matroskademux element specifically when processing MKV files with bzip compression.
Remediation
Apply the security updates provided by your distribution immediately - Debian users should install the patches referenced in DSA-5204 (https://www.debian.org/security/2022/dsa-5204) and the LTS announcement (https://lists.debian.org/debian-lts-announce/2022/08/msg00001.html). For systems that cannot be immediately patched, consider implementing application-level controls to prevent processing of untrusted MKV files or disable bzip decompression support in GStreamer if not required. Monitor the upstream GStreamer issue tracker at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 for additional updates and verify successful patching by testing with the proof-of-concept if available in a controlled environment.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today