CVE-2022-43236 is a stack-buffer-overflow vulnerability identified in libde265 version 1.0.8, specifically within the function put_qpel_fallback<unsigned short> in the fallback-motion.cc source file. Libde265 is an open-source H.265/HEVC video decoder library used to decode video streams encoded in the HEVC format. The vulnerability arises due to improper handling of crafted video data, which leads to a stack-based buffer overflow. An attacker can exploit this flaw by delivering a maliciously crafted video file that triggers the overflow during the decoding process. This results in a Denial of Service (DoS) condition, causing the application or service using libde265 to crash or become unresponsive. The vulnerability does not affect confidentiality or integrity directly but impacts availability. The CVSS v3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), and high impact on availability (A:H). No known exploits are currently reported in the wild, and no patches or vendor-specific products are explicitly mentioned. The vulnerability affects libde265 version 1.0.8, which is commonly integrated into multimedia applications, media players, and streaming platforms that support HEVC video decoding.

For European organizations, the primary impact of CVE-2022-43236 is service disruption due to application crashes when processing malicious HEVC video files. Organizations relying on software or services that incorporate libde265 for video decoding—such as media companies, broadcasters, streaming service providers, and any enterprise using video conferencing or video processing tools—may experience denial of service conditions. This can lead to operational downtime, degraded user experience, and potential loss of revenue or reputation. While the vulnerability does not allow data theft or code execution, the DoS can be leveraged in targeted attacks to disrupt critical media infrastructure or communication channels. Given the increasing use of HEVC video in content delivery and conferencing, the risk is non-negligible. Additionally, if libde265 is embedded in security-sensitive environments (e.g., video surveillance systems), the DoS could impair monitoring capabilities. The requirement for user interaction (opening or processing a crafted video file) limits the attack vector primarily to scenarios where users receive or access untrusted video content.

Organizations should identify all software and systems using libde265 version 1.0.8 and assess their exposure. Since no official patch links are provided, it is recommended to: 1) Upgrade libde265 to a version where this vulnerability is fixed, if available, or apply vendor patches if using third-party products embedding libde265. 2) Implement strict validation and sanitization of video files before processing, including sandboxing video decoding operations to contain potential crashes. 3) Employ application-level controls to restrict or monitor the opening of untrusted or unsolicited video files, especially from external sources. 4) Use network-level protections such as email and web gateways to filter potentially malicious video attachments or downloads. 5) Monitor application logs and system stability for signs of crashes related to video decoding. 6) Engage with software vendors to confirm patch availability and timelines. 7) Consider deploying runtime protection tools that can detect and mitigate buffer overflow attempts during video decoding. These steps go beyond generic advice by focusing on the specific context of video file handling and the integration of libde265 in enterprise environments.