CVE-2021-32436: 
NixOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability was discovered in the write_title() function in subs.c of abcm2ps version 8.14.11. The vulnerability was assigned CVE-2021-32436 and was disclosed in early 2021. The affected software, abcm2ps, is a program that translates ABC music description files to PostScript format (Ubuntu Security).

The vulnerability stems from an out-of-bounds read condition in the write_title() function located in subs.c. The issue occurs because the code doesn't properly validate whether &s->text[2] is valid before accessing it. This vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (Ubuntu Security).

When exploited, this vulnerability allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors. The impact is primarily on the availability of the system, with no direct effect on confidentiality or integrity (CVE Mitre).

The vulnerability has been fixed in multiple versions across different distributions. Ubuntu has released fixes in versions 8.14.11-0.1ubuntu0.1~esm1 for 22.04 LTS, 8.14.6-0.1ubuntu0.1~esm1 for 20.04 LTS, and 7.8.9-1+deb9u1build0.18.04.1 for 18.04 LTS. Debian has addressed the issue in version 7.8.9-1+deb9u1. Fedora has released version 8.14.13-1 to fix this vulnerability (Ubuntu Security, Debian Security).