CVE-2020-18778: 
NixOS vulnerability analysis and mitigation

In Libav 12.3, a heap-based buffer over-read vulnerability was discovered in the vc1_decode_p_mb_intfi function within vc1_block.c. This vulnerability was assigned CVE-2020-18778 and was publicly disclosed on August 23, 2021. The vulnerability affects Libav video processing software version 12.3 (NVD, CVE).

The vulnerability is classified as a heap-based buffer over-read (CWE-125) that occurs in the vc1_decode_p_mb_intfi function within the vc1_block.c file. The CVSS v3.1 base score is 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability allows reading beyond the bounds of allocated memory when processing certain crafted files (NVD).

When exploited, this vulnerability can lead to denial-of-service conditions through application crashes. The buffer over-read can potentially expose sensitive information from memory, though in this case, the impact is primarily limited to service availability (NVD).

The vulnerability affects Libav version 12.3, but no official fix has been publicly documented. Users are advised to exercise caution when processing untrusted video files with affected versions of Libav (Debian Tracker).