CVE-2022-1514: 
PHP vulnerability analysis and mitigation

A null pointer dereference vulnerability exists in the DirectComposition functionality of the win32kbase.sys driver in Windows 11 version 22000.593 and Windows Server 2022 version 20348.643. The vulnerability was discovered by Jaewon Min of Cisco Talos and disclosed to the vendor on April 25, 2022 (Talos Report).

The vulnerability occurs when integer property 0x3 is set on CCompositionSurfaceBitmapMarshaler, which triggers a call to dxgkrnl!DxgkSetCompositionSurfaceInkCookie with a pointer stored at offset +38h of the CCompositionSurfaceBitmapMarshaler object. The bug manifests because the system doesn't verify whether offset +38h contains a valid pointer to a DxgkCompositionObjectType object before making the call, leading to a null pointer dereference. The vulnerability has been assigned a CVSS v3.1 score of 5.0 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H) and is classified as CWE-476 (NULL Pointer Dereference) (Talos Report).

When exploited, this vulnerability can lead to a system reboot through a Denial of Service condition. An unprivileged user can trigger this by running specially-crafted code (Talos Report).

Microsoft has addressed this vulnerability in subsequent updates to Windows 11 and Windows Server 2022. Users should ensure their systems are updated to versions newer than Windows 11 version 22000.593 and Windows Server 2022 version 20348.643 (Talos Report).