CVE-2022-29465
Published: 05 August 2022
Summary
CVE-2022-29465 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Accusoft Imagegear. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An out-of-bounds write vulnerability exists in the PSD Header processing memory allocation functionality of Accusoft ImageGear 20.0. The flaw, tracked as CVE-2022-29465 and assigned CWE-119 and CWE-787, allows a specially crafted malformed PSD file to trigger memory corruption. It received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker can supply a malicious file to an affected ImageGear installation and achieve arbitrary memory corruption, which may be leveraged for remote code execution or denial of service. The attack requires only that the target process the malformed PSD file, enabling remote exploitation without additional authentication steps.
The EPSS score for this CVE stands at 0.1127 with no material increase from its recorded peak, indicating limited observed exploitation interest after disclosure. The primary public reference is the Talos Intelligence report TALOS-2022-1526, which details the technical root cause.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33803
Vulnerability details
An out-of-bounds write vulnerability exists in the PSD Header processing memory allocation functionality of Accusoft ImageGear 20.0. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.