CVE-2022-24501 Microsoft CVE debrief

Who should care

Windows endpoint administrators, Microsoft Store app maintainers, security operations teams, and users who have Microsoft VP9 Video Extensions installed on devices that process untrusted media or content.

Technical summary

The affected product listed in the official metadata is microsoft:vp9_video_extensions. NVD assigns CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which indicates no privileges are required, but a local attack path and user interaction are needed. NVD also lists the weakness as NVD-CWE-noinfo, so the exact weakness class is not specified in the supplied corpus. The vulnerability is documented in Microsoft’s update guide referenced by NVD.

Defensive priority

High. Prioritize systems with Microsoft VP9 Video Extensions installed, especially endpoints used to open media from untrusted sources or shared user environments.

Recommended defensive actions

• Verify whether Microsoft VP9 Video Extensions is installed across managed endpoints.
• Review Microsoft’s update guide for CVE-2022-24501 and apply the vendor-recommended remediation on affected systems.
• Remove or disable the extension where it is not needed to reduce attack surface.
• Use endpoint monitoring to flag unusual crashes or suspicious activity involving the extension.
• Keep Windows and Microsoft Store app updates current so the affected component receives vendor fixes promptly.

Evidence notes

This debrief uses only the supplied official sources: the CVE record, NVD detail metadata, NVD source item snapshot, and Microsoft’s MSRC update guide link. No KEV entry was supplied. The CVSS vector from NVD indicates local attack conditions and user interaction, which should be considered alongside the title/description that labels the issue as remote code execution.

Official resources