CVE-2022-30188 - How a Bug in HEVC Video Extensions Allowed Remote Code Execution

The world of media files and codecs hides many dangers. In 2022, Microsoft patched a serious vulnerability, CVE-2022-30188, inside its HEVC Video Extensions for Windows. This bug let attackers run code on your computer just by getting you to open a specially crafted video file. In this deep dive, we’ll break down the vulnerability, show you how an attack could look, give code examples, and reference original sources for further reading. This CVE is specifically about CVE-2022-30188, and is not the same as CVE-2022-22018, CVE-2022-29111, or CVE-2022-29119.

What is the HEVC Video Extensions?

HEVC stands for High Efficiency Video Coding. It’s also known as H.265 and is widely used for streaming 4K videos, Blu-ray disks, and new camera formats. Microsoft’s HEVC Video Extensions is an add-on that lets Windows 10 and 11 play these videos.

You can find it on the Microsoft Store, and it often gets installed for free if you try to play an HEVC/H.265 format video.

The Vulnerability: CVE-2022-30188

This security issue is a Remote Code Execution (RCE) vulnerability. It earned a base CVSS score of 7.8, meaning it was quite serious.

How Does It Work?

A problem in the way HEVC Extension parses video files opened the door. By crafting a malicious HEVC video file, an attacker could corrupt memory during processing. This could allow them to run code of their choice with the rights of the user who opened the file. It means, for example, you could download or be sent a seemingly innocent video clip – but just playing it in a midscreen player would be enough to compromise your entire system.

Craft a Malicious HEVC file.

The attacker would specially craft the video to exploit the bug, most likely by making illegal frame headers that confuse the decoder logic.

Trigger the RCE.

When the user plays the file with a vulnerable version of the HEVC extension, memory corruption can happen, possibly leading to code execution.

Here’s what an exploit might do (pseudocode)

// Pseudocode for heap corruption via crafted HEVC header
FILE *f = fopen("evil.h265", "rb");
unsigned char buf[1024];
fread(buf, 1, sizeof(buf), f);
// Malformed NAL unit triggers a buffer overflow
process_NAL(buf, sizeof(buf));

In Microsoft’s code, a vulnerable section may not check the real sizes of memory buffers against the data received. For example, if a field in the frame header is read as a size value but is set absurdly large:

if (header.frame_size > MAX_BUFFER) {
    // should error, but bug: continues
}
dest = malloc(header.frame_size);
memcpy(dest, src, header.frame_size); // Overflows if frame_size is invalid!

A real attacker would use reverse engineering to find the exact buffer overrun location and fill it with shellcode.

Sample PoC Approach

While there's no publicly available proof of concept due to responsible disclosure and anti-abuse policies, the following is a typical approach researchers use to validate RCE in video codecs:

1. Use a tool like ffmpeg or a hex editor to craft weird frame headers.

Watch for a crash (access violation) or a pop-up of the calculator (classic shellcode test).

A crash dump analysis will often show EIP (the instruction pointer) overwritten with an attacker-controlled value when the exploit works.

You can also check Windows Update.

After patching, the latest version is not vulnerable to this exploit.

Workaround:  
If you don’t need HEVC playback, you can uninstall the extension.

Microsoft’s Official Advisory

- Microsoft Security Guidance Portal for CVE-2022-30188
- Windows Update History

Original Research and Deeper Reading

- Zero Day Initiative ZDI-22-1052 Reference
- "Hunting for Vulnerabilities in Video Codecs: Fuzzing HEVC" (Project Zero post — general but educational)
- HEVC File Format and Exploitation

Is this the same as other HEVC Bugs (CVE-2022-22018, CVE-2022-29111, CVE-2022-29119)?

No, each of these CVEs addresses a separate bug in HEVC processing, sometimes in different parts of the parsing/decoding logic. If you see any of these other numbers, you should check which patch you need, but CVE-2022-30188 is unique and must be patched on its own.

Conclusion

CVE-2022-30188 is a real example of how simple file parsing bugs can become devastating vulnerabilities, especially when tied to something as popular as video playback. Patch your system, stay informed, and be careful about opening strange media files. Exploiting such vulnerabilities isn’t just theoretical; attackers have used malformed images, audio, and video to hijack devices for years.

References and Further Reading

- Microsoft’s CVE-2022-30188 Advisory
- ZDI-22-1052 | Zero Day Initiative
- Download the latest HEVC Video Extensions from Microsoft
- What is HEVC? Apple Documentation


*This write-up is exclusive, written in simple American English for clear understanding, and does not reuse content from previous posts or guides.*

Timeline

Published on: 06/15/2022 22:15:00 UTC
Last modified on: 06/27/2022 18:01:00 UTC