Login Sign Up

CVE-2022-1924

7.8 HIGH
Denial of Service

📋 TL;DR

CVE-2022-1924 is an integer overflow vulnerability in the GStreamer multimedia framework's Matroska demuxer during LZO decompression. This can cause denial of service (segfault) or potentially heap overwrite leading to arbitrary code execution. Systems using GStreamer to process malicious MKV files are affected.

💻 Affected Systems

Products:
  • GStreamer
  • Applications using GStreamer for MKV processing
Versions: GStreamer versions before 1.20.4
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability manifests when processing MKV files with LZO compression. Impact varies based on libc implementation and OS memory management capabilities.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Gstreamer by Gstreamer Project

View all CVEs affecting Gstreamer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Heap overwrite leading to arbitrary code execution with the same privileges as the GStreamer process, potentially resulting in full system compromise.

🟠

Likely Case

Denial of service through application crash (segfault) when processing malicious MKV files.

🟢

If Mitigated

No impact if patched or if vulnerable components are not exposed to untrusted MKV files.

🌐 Internet-Facing: MEDIUM - Risk exists if web applications or services process user-uploaded MKV files using GStreamer.
🏢 Internal Only: LOW - Risk limited to internal users intentionally processing malicious MKV files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting a malicious MKV file with specific LZO compression parameters to trigger the integer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GStreamer 1.20.4 and later

Vendor Advisory: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225

Restart Required: Yes

Instructions:

1. Update GStreamer to version 1.20.4 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade gstreamer1.0. 3. Restart any services or applications using GStreamer.

🔧 Temporary Workarounds

Disable MKV processing

linux

Prevent GStreamer from processing MKV files by removing or disabling the matroskademux plugin.

sudo mv /usr/lib/gstreamer-1.0/libgstmatroska.so /usr/lib/gstreamer-1.0/libgstmatroska.so.disabled

🧯 If You Can't Patch

  • Implement strict input validation to reject untrusted MKV files
  • Run GStreamer processes with reduced privileges and in sandboxed environments

🔍 How to Verify

Check if Vulnerable:

Check GStreamer version: gst-inspect-1.0 --version | grep version

Check Version:

gst-inspect-1.0 --version

Verify Fix Applied:

Verify version is 1.20.4 or later: gst-inspect-1.0 --version

📡 Detection & Monitoring

Log Indicators:

  • Segfault crashes in GStreamer processes
  • Application logs showing MKV file processing failures

Network Indicators:

  • Unusual MKV file uploads to web applications

SIEM Query:

process_name:"gst-launch" AND (event_type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2022-1924
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: July 19, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1924, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)