CVE-2021-32276: 
NixOS vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in faad2 (Freeware Advanced Audio Decoder) through version 2.10.0. The vulnerability exists in the function get_sample() located in output.c. This security flaw was assigned CVE-2021-32276 and was publicly disclosed in September 2021 (NVD, MITRE).

The vulnerability is a NULL pointer dereference that occurs in the get_sample() function within output.c. The issue was discovered through testing with AddressSanitizer, which revealed a segmentation fault at line 49:16 of output.c. The vulnerability has a CVSS 3.1 Base Score of 5.5 (Medium), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (Ubuntu).

When exploited, this vulnerability allows an attacker to cause a Denial of Service (DoS) condition in the application. The impact is primarily focused on availability, with no direct effect on confidentiality or integrity of the system (NVD, Ubuntu).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has fixed the issue in versions 2.9.1-1ubuntu0.1 for 20.04 LTS, 2.8.8-1ubuntu0.1~esm1 for 18.04 LTS, and 2.8.0~cvs20150510-1ubuntu0.1+esm1 for 16.04 LTS. Debian has addressed the vulnerability in version 2.10.0-1~deb10u1 for the oldstable distribution (buster) (Ubuntu, Debian).