Cyber Resilience

CVE-2022-38019

High

Published: 13 September 2022

Published
13 September 2022
Modified
02 January 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0794 92.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-38019 is a high-severity an unspecified weakness vulnerability in Microsoft Av1 Video Extension. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a remote code execution flaw in the AV1 Video Extension component, assigned CVE-2022-38019 with a CVSS 3.1 base score of 7.8. It affects systems running the extension, which provides AV1 codec support for media playback in Windows environments. The issue stems from improper handling of crafted input, enabling arbitrary code execution when the vulnerable code processes malicious content.

An unauthenticated local attacker can exploit the flaw by supplying a specially crafted media file that triggers the vulnerability upon rendering. Successful exploitation grants the attacker full control over the affected process, allowing arbitrary code execution with impacts to confidentiality, integrity, and availability. No privileges are required beyond convincing a user to open the file, and the attack does not cross security boundaries.

Microsoft security advisories recommend applying the vendor-supplied updates for the AV1 Video Extension to address the issue. The patches are distributed through standard Windows update channels and the Microsoft Store, with guidance available in the MSRC vulnerability guide.

EPSS scores have remained flat at a peak of 0.0794 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

AV1 Video Extension Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
av1 video extension
≤ 1.1.51091.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References