PatchSiren cyber security CVE debrief
CVE-2022-24457 Microsoft CVE debrief
CVE-2022-24457 is a Microsoft HEIF Image Extension vulnerability that Microsoft labels as remote code execution. The supplied NVD data rates it 7.8 High and maps it to CWE-787 (out-of-bounds write). NVD’s vector indicates a local attack that requires user interaction, with high impact to confidentiality, integrity, and availability. The affected product scope in the supplied metadata is Microsoft heif_image_extension versions before 1.0.43012.0.
- Vendor
- Microsoft
- Product
- HEIF Image Extension
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2022-03-09
- Original CVE updated
- 2024-11-21
- Advisory published
- 2022-03-09
- Advisory updated
- 2024-11-21
Who should care
Endpoint administrators, patch management teams, and security teams responsible for Windows systems that have the Microsoft HEIF Image Extension installed, especially user workstations where people open HEIF images.
Technical summary
The supplied NVD metadata shows a CVSS v3.1 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and a CWE-787 weakness classification. That combination suggests code execution risk triggered through user interaction with crafted content, rather than a privileged or fully remote pre-authentication path. The vulnerable CPE entry covers Microsoft heif_image_extension versions earlier than 1.0.43012.0. Microsoft’s MSRC advisory is the referenced vendor source in the NVD record.
Defensive priority
High priority. Patch affected systems in the next regular urgent maintenance window, sooner on systems that commonly process untrusted HEIF content. This item is not marked as a Known Exploited Vulnerability in the supplied data.
Recommended defensive actions
- Verify whether Microsoft HEIF Image Extension is installed on your endpoints and identify systems running versions earlier than 1.0.43012.0.
- Apply Microsoft’s remediation for CVE-2022-24457 through the vendor guidance referenced by the NVD record.
- Prioritize devices used to open external or untrusted image files, since the supplied CVSS vector requires user interaction.
- Use normal attachment and file-handling controls for untrusted image content until affected systems are updated.
- Confirm remediation by re-checking the installed HEIF Image Extension version after patching.
Evidence notes
This debrief is based only on the supplied CVE metadata and official references. Key evidence includes the CVE published date of 2022-03-09, the NVD-modified date of 2024-11-21, the NVD CVSS v3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, the CWE-787 classification, and the vulnerable CPE criterion for microsoft:heif_image_extension versions ending before 1.0.43012.0. The NVD record references the Microsoft MSRC advisory as the vendor source.
Official resources
-
CVE-2022-24457 CVE record
CVE.org
-
CVE-2022-24457 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2022-24457 was published on 2022-03-09 and last modified in the supplied NVD metadata on 2024-11-21. No Known Exploited Vulnerabilities date was provided in the supplied timeline.