CVE-2020-23930: 
NixOS vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in GPAC through version 20200801. The vulnerability exists in the function nhmldumpsendheader located in write_nhml.c, which allows an attacker to cause a Denial of Service condition (NVD, CVE).

The vulnerability is tracked as CVE-2020-23930 and has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue stems from a NULL pointer dereference in the nhmldumpsendheader function when processing audio format properties. The vulnerability was confirmed through AddressSanitizer which detected a SEGV on an unknown address when attempting to access uninitialized pointer values (GitHub Issue).

The vulnerability allows an attacker to trigger a denial of service condition by causing the application to crash through a NULL pointer dereference. This affects the stability and availability of systems using the affected GPAC versions (NVD).

The vulnerability was fixed in a subsequent commit that added a NULL pointer check before accessing the audio format properties. Users should upgrade to a version that includes commit 9eeac00b38348c664dfeae2525bba0cf1bc32349 which implements the fix (GitHub Commit).