CVE-2022-22709 Microsoft CVE debrief

Who should care

Windows endpoint owners, IT administrators, and security teams that manage Microsoft VP9 Video Extensions on user systems should care most. It is most relevant where users routinely open content that could trigger the affected extension.

Technical summary

NVD lists the affected CPE as Microsoft VP9 Video Extensions and marks versions ending before 1.0.42791.0 as vulnerable. The CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which means exploitation requires user interaction and is not described as a fully remote, unauthenticated attack path in the NVD record. NVD also records CWE as NVD-CWE-noinfo, so the public metadata does not provide a specific weakness class.

Defensive priority

High. Apply the fixed version quickly on systems where the extension is installed, since the issue is rated High severity and can lead to high-impact compromise if successfully triggered.

Recommended defensive actions

• Upgrade Microsoft VP9 Video Extensions to version 1.0.42791.0 or later.
• Inventory endpoints to confirm whether the extension is installed and where it is used.
• Prioritize remediation on user-facing devices that handle untrusted media or content.
• Track Microsoft MSRC guidance for any additional vendor recommendations tied to CVE-2022-22709.

Evidence notes

The NVD record for CVE-2022-22709 lists Microsoft VP9 Video Extensions as the affected product, with vulnerable versions before 1.0.42791.0. The NVD CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and NVD records NVD-CWE-noinfo. Microsoft’s MSRC advisory is linked from the official records. The public title describes the issue as remote code execution, but the NVD vector indicates user interaction and local attack conditions, so the strongest evidence-supported description is code execution risk with required user interaction rather than an unqualified remote path.

Official resources