CVE-2021-32492: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2021-32492) was discovered in djvulibre version 3.5.28 and earlier versions. The flaw was identified as an out-of-bounds read vulnerability in the DJVU::DataPool::has_data() function, which could be triggered by processing a specially crafted djvu file (NVD, CVE). The vulnerability was reported on March 26, 2021, and was assigned a CVSS v3.1 base score of 7.8 (HIGH).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) issue. According to the CVSS v3.1 scoring metrics, the vulnerability requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R). The scope is unchanged (S:U), with high impact potential for confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If successfully exploited, this vulnerability could lead to application crashes resulting in denial of service. Additionally, there could be other unspecified consequences due to the out-of-bounds read condition (Red Hat Bugzilla).

The vulnerability has been fixed in multiple distributions. Debian released patches in version 3.5.27.1-10+deb10u1 for the oldstable distribution (buster) and version 3.5.28-2 for the stable distribution (bullseye). Ubuntu also provided security updates for affected versions (Debian Advisory).