CVE-2022-43594

Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .bmp files.

Weakness

The product dereferences a pointer that it expects to be valid but is NULL.

Affected Software

Name	Vendor	Start Version	End Version
Openimageio	Openimageio	2.4.4.2 (including)	2.4.4.2 (including)
Openimageio	Ubuntu	bionic	*
Openimageio	Ubuntu	focal	*
Openimageio	Ubuntu	kinetic	*
Openimageio	Ubuntu	lunar	*
Openimageio	Ubuntu	mantic	*
Openimageio	Ubuntu	oracular	*
Openimageio	Ubuntu	plucky	*
Openimageio	Ubuntu	trusty	*
Openimageio	Ubuntu	xenial	*

Potential Mitigations

References

https://security.gentoo.org/glsa/202305-33
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653
https://www.debian.org/security/2023/dsa-5384
https://security.gentoo.org/glsa/202305-33
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653
https://www.debian.org/security/2023/dsa-5384

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-43594
CWE	https://cwe.mitre.org/data/definitions/476.html

NULL Pointer Dereference

Weakness

Affected Software

Potential Mitigations

References