VIR Vulnerability Intelligence Relay

CVE-2026-22554

high
Published 2026-05-20 ยท Modified 2026-05-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
7.8

Description

MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vulnerability

Predictions

Exploit likelihood
75%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

community-verified Authored 2026-05-29
{**Short-term mitigation** until patched builds are available: 1. **Sandbox all mediainfo invocations** using seccomp-bpf to block `mprotect(PROT_EXEC)`: ```bash seccomp-tools dump mediainfo --analyze suspicious.mkv # Deny PROT_WRITE|PROT_EXEC transitions ``` 2. **Containerize processing** with minimal capabilities: ```yaml securityContext: allowPrivilegeEscalation: false capabilities: drop: [ALL] readOnlyRootFilesystem: true ``` 3. **Validate media before analysis** using a lightweight header parser to reject malformed channel counts. **Rollback**: Remove seccomp profile once vendor patches are applied and validated. Test legitimate multi-channel files (5.1, 7.1 surround) post-mitigation to ensure no false positives.}

Application impact
VendorProductVersionsFixed
mediaareamediainfolib26.01

References

CWEs

CWE-122

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.