CVE-2022-38019
Published: 13 September 2022
Summary
CVE-2022-38019 is a high-severity an unspecified weakness vulnerability in Microsoft Av1 Video Extension. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a remote code execution flaw in the AV1 Video Extension component, assigned CVE-2022-38019 with a CVSS 3.1 base score of 7.8. It affects systems running the extension, which provides AV1 codec support for media playback in Windows environments. The issue stems from improper handling of crafted input, enabling arbitrary code execution when the vulnerable code processes malicious content.
An unauthenticated local attacker can exploit the flaw by supplying a specially crafted media file that triggers the vulnerability upon rendering. Successful exploitation grants the attacker full control over the affected process, allowing arbitrary code execution with impacts to confidentiality, integrity, and availability. No privileges are required beyond convincing a user to open the file, and the attack does not cross security boundaries.
Microsoft security advisories recommend applying the vendor-supplied updates for the AV1 Video Extension to address the issue. The patches are distributed through standard Windows update channels and the Microsoft Store, with guidance available in the MSRC vulnerability guide.
EPSS scores have remained flat at a peak of 0.0794 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-40625
Vulnerability details
AV1 Video Extension Remote Code Execution Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.