CVE-2020-13598: 
NixOS vulnerability analysis and mitigation

A Stack-based Buffer Overflow vulnerability (CVE-2020-13598) was discovered in Zephyr versions >= v1.14.2 and >= v2.3.0. The vulnerability occurs when enabling Long File Names in FATFS and calling fsstat function. The issue was disclosed on April 26, 2021, and affects the Zephyr Project's filesystem implementation (Zephyr Advisory).

The vulnerability is classified as a Stack-based Buffer Overflow (CWE-121) that occurs in the subsys/fs/fatfs.c file at line 306. The issue manifests when performing fsstat on a file with a filename longer than 12 characters, causing a buffer overflow where the struct is defined with MAXFILENAME. The vulnerability has been assigned a CVSS v3.1 score of 6.3 (Moderate) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L (Zephyr Advisory).

The vulnerability can lead to memory corruption if there is no memory protection in place. When exploited, it affects the confidentiality, integrity, and availability of the system, each at a low level according to the CVSS metrics (Zephyr Advisory).

The vulnerability has been patched in Zephyr version v2.4.0. The fixes were implemented through several pull requests: master branch (#25852) and v2.3 branch (#28782) (Zephyr Advisory).