CVE-2020-10575: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in Janus through version 0.9.1, specifically in the VideoCall plugin (plugins/janus_videocall.c). The vulnerability relates to session management mishandling where a race condition causes some references to be freed too early or too many times (NVD, AttackerKB).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.2 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. The issue stems from a broken management of sessions in the plugin that are tied to the usernames that are registered. This implementation can lead to states where references may be freed prematurely or multiple times, potentially causing system instability (GitHub PR).

The vulnerability can result in system crashes due to improper memory management. The impact is characterized by low confidentiality and integrity breaches, with no direct impact on system availability. The vulnerability requires user interaction and has high attack complexity (NVD).

The issue has been fixed in Janus version 0.9.2. The fix involves restructuring the session management in the VideoCall plugin to prevent race conditions and improve stability. Users are advised to upgrade to version 0.9.2 or later to address this vulnerability (GitHub PR, Debian Changes).

The vulnerability was discovered through security research and reported responsibly. The fix was developed and tested extensively before being merged into the main codebase. Stress testing of the fix showed no crashes, indicating successful remediation of the issue (GitHub PR).