CVE-2022-48622: 
Rocky Linux vulnerability analysis and mitigation

CVE-2022-48622 affects GNOME's GdkPixbuf library through version 2.42.10, which is used for loading image data in various formats. The vulnerability was discovered in January 2024 and involves heap memory corruption in the ANI (Windows animated cursor) decoder when parsing chunks in crafted .ani files (Ubuntu Security, NVD).

The vulnerability occurs in the ANI decoder's aniloadchunk function within io-ani.c and specifically involves the gdkpixbufset_option() function in gdk-pixbuf.c. When parsing chunks in a crafted .ani file, the decoder encounters heap memory corruption that can lead to heap metadata being overwritten. The issue stems from improper handling of context->pos in a loop that processes icon subchunks, where the loop is called twice with the same context->pos value (GitLab Issue). The vulnerability has been assigned a CVSS score of 7.8 (High) (Ubuntu Security).

A successful exploitation of this vulnerability could allow an attacker to overwrite heap metadata, potentially leading to denial of service or code execution. The impact is particularly significant as GdkPixbuf is widely used by GTK+ and other toolkits for handling image formats (Red Hat CVE).

Multiple Linux distributions have released security updates to address this vulnerability. Red Hat has released fixes for both RHEL 8 and RHEL 9 systems through updated gdk-pixbuf2 packages. Ubuntu has also provided fixes across multiple versions including 24.04 LTS, 23.10, 22.04 LTS, 20.04 LTS, and 18.04 LTS (Red Hat Advisory, Ubuntu Security).