CVE-2022-41992: 
PowerISO vulnerability analysis and mitigation

A memory corruption vulnerability (CVE-2022-41992) exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO 8.3. The vulnerability was discovered by Piotr Bania of Cisco Talos and was publicly disclosed on December 7, 2022. PowerISO is a disk image file processing tool that supports operations on various file formats and mounts images as virtual drives (Talos Report).

The vulnerability exists because the 'Num of blocks' value from the CXSPARSE record is not validated properly in PowerISO 8.3. An attacker can control the loop counter, leading to an out-of-bounds write. The vulnerability has been assigned a CVSSv3 score of 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as CWE-787 (Out-of-bounds Write) (Talos Report).

A specially crafted file can lead to an out-of-bounds write when processed by PowerISO. A victim needs to open a malicious file to trigger this vulnerability, which could potentially lead to arbitrary code execution (Talos Blog).

PowerISO has fixed this issue, though they did not change the version number on the fixed release. Users should confirm they are running PowerISO version 8.3 with the most recent bug fixes. The vendor patch was released on November 28, 2022 (Talos Report).