CVE-2022-48622

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
VendorProductVersion
gnomegdkpixbuf
𝑥
≤ 2.42.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gdk-pixbuf
bullseye
2.42.2+dfsg-1+deb11u2
fixed
buster
postponed
bullseye (security)
vulnerable
bookworm
2.42.10+dfsg-1+deb12u1
fixed
sid
2.42.12+dfsg-1
fixed
trixie
2.42.12+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gdk-pixbuf
noble
Fixed 2.42.10+dfsg-3ubuntu3.1
released
mantic
Fixed 2.42.10+dfsg-1ubuntu0.1
released
lunar
ignored
jammy
Fixed 2.42.8+dfsg-1ubuntu0.3
released
focal
Fixed 2.40.0+dfsg-3ubuntu0.5
released
bionic
Fixed 2.36.11-2ubuntu0.1~esm1
released
xenial
Fixed 2.32.2-1ubuntu1.6+esm1
released
trusty
ignored
Common Weakness Enumeration
References
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202