CVE-2018-21035: 
NixOS vulnerability analysis and mitigation

CVE-2018-21035 affects Qt through version 5.14.1, specifically its WebSocket implementation. The vulnerability was disclosed on February 28, 2020. The issue exists in the WebSocket component which accepts frames and messages up to 2GB in size, with no ability to configure smaller limits (NVD).

The vulnerability stems from the WebSocket implementation's frame and message size handling. The code sets maximum frame and message sizes to INT_MAX - 1 (approximately 2GB) in qwebsocketframe_p.h, with no way to configure smaller limits. The CVSS v3.1 base score is 7.5 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Qt Bug Report).

The vulnerability makes it easier for attackers to cause a denial of service through memory consumption. An attacker could establish multiple WebSocket connections and send partial messages containing large frames, potentially exhausting the virtual memory of the process running the WebSocket server or client, leading to a crash (Qt Bug Report).

The vulnerability was addressed in subsequent Qt releases. Red Hat provided fixes through security advisory RHSA-2020:4690 for affected systems. The fix involves adding a public API to set maximum frame and message sizes (Red Hat Advisory).