CVE-2021-32278: 
NixOS vulnerability analysis and mitigation

A heap-buffer-overflow vulnerability (CVE-2021-32278) was discovered in faad2 through version 2.10.0. The vulnerability exists in the function ltprediction located in ltpredict.c, which could allow an attacker to cause code execution (NVD, CVE).

The vulnerability is a heap-buffer-overflow that occurs in the ltprediction function at line 108:36 in ltpredict.c. The issue involves a READ operation of size 2 at an unauthorized memory location. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Github Issue, NVD).

If exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system. The vulnerability affects confidentiality, integrity, and availability with high impact levels (NVD).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has released fixes for versions 20.04 LTS (2.9.1-1ubuntu0.1), 18.04 LTS (2.8.8-1ubuntu0.1~esm1), 16.04 LTS (2.8.0~cvs20150510-1ubuntu0.1+esm1), and 14.04 LTS (2.7-8+deb8u3ubuntu0.1~esm1). Debian has also released security updates to address this issue (Ubuntu Notice, Debian Security).