CVE-2019-15680: 
NixOS vulnerability analysis and mitigation

TightVNC code version 1.3.10 contains a null pointer dereference vulnerability in the HandleZlibBPP function. The vulnerability was discovered in 2019 and assigned identifier CVE-2019-15680. This security flaw affects TightVNC software and related packages, with a CVSS v3 base score of 7.5 indicating high severity (CISA, Ubuntu).

The vulnerability stems from a null pointer dereference in the HandleZlibBPP function within TightVNC's code. The issue occurs because malloc result is not checked after allocation, making null pointer dereference possible if malloc fails to allocate memory due to an overly large argument (Openwall). The vulnerability has been assigned a CVSS vector string of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network-accessible, requires low complexity to exploit, and can result in high availability impact (CISA).

If exploited, this vulnerability could result in a Denial of Service (DoS) condition. The attack appears to be exploitable via network connectivity, potentially allowing remote attackers to cause the system to crash (CISA, Ubuntu).

Various Linux distributions have released patches to address this vulnerability. Ubuntu has fixed the issue in multiple versions: Ubuntu 20.04 LTS (0.9.12+dfsg-9ubuntu0.1), Ubuntu 19.10 (0.9.11+dfsg-1.3ubuntu0.1), Ubuntu 18.04 LTS (0.9.11+dfsg-1ubuntu1.2), and Ubuntu 16.04 LTS (0.9.10+dfsg-3ubuntu0.16.04.4). System administrators should update their systems to these patched versions (Ubuntu).