CVE-2021-26260: 
NixOS vulnerability analysis and mitigation

An integer overflow leading to a heap-buffer overflow was discovered in the DwaCompressor of OpenEXR in versions before 3.0.1. The vulnerability, tracked as CVE-2021-26260, was reported in June 2021 and affects the OpenEXR image format library (NVD, Ubuntu).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 5.5. The attack vector is Local (L), with Low attack complexity (L), requiring No privileges (N) and User interaction (R). The scope is Unchanged (U), with No impact on confidentiality (N) and integrity (N), but High impact on availability (H). The vulnerability stems from an integer overflow condition that can lead to a heap-buffer overflow in the DwaCompressor component (NVD).

If exploited, this vulnerability could allow an attacker to cause a denial of service by crashing an application that is compiled with OpenEXR. The primary impact is on system availability, with no direct impact on data confidentiality or integrity (Ubuntu, NVD).

The vulnerability has been fixed in OpenEXR version 3.0.1 and later. Various Linux distributions have released security updates to address this issue, including Ubuntu, Debian, and Fedora. Users are recommended to upgrade their OpenEXR packages to the patched versions (Debian, Ubuntu).