CVE-2021-28904: 
NixOS vulnerability analysis and mitigation

CVE-2021-28904 affects libyang versions up to and including v1.0.225. The vulnerability was discovered in the extgetplugin() function where it fails to check whether the revision value is NULL, which can lead to a crash when strcmp() operation is performed (Gentoo Advisory, GitHub Issue).

The vulnerability exists in the extgetplugin() function implementation where it performs a strcmp() operation on the revision parameter without first validating if it's NULL. When a NULL revision value is passed to the function, the strcmp(revision, ext_plugins[u].revision) operation causes the application to crash. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is availability, as it can lead to a crash of the application when exploited. The CVSS scoring indicates high impact on availability with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been fixed in libyang version 1.0.236. Users should upgrade to this version or later to address the issue. For Gentoo users, the recommended action is to upgrade using the command: emerge --ask --oneshot --verbose ">=net-libs/libyang-1.0.236" (Gentoo Advisory).