CVE-2021-3497: 
NixOS vulnerability analysis and mitigation

CVE-2021-3497 affects GStreamer versions before 1.18.4, where a use-after-free vulnerability exists in the Matroska plugin. The vulnerability was discovered in early 2021 and officially disclosed on March 15, 2021. The issue affects both GStreamer 1.x versions up to 1.18.3 and 0.10.x versions above 0.10.8 (GStreamer Advisory).

The vulnerability occurs when demuxing certain malformed Matroska files, where the application might access already-freed memory in error code paths. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-416 (Use After Free) (NVD).

The vulnerability could allow an attacker to trigger a crash in the application or potentially execute arbitrary code with the privileges of the target user. However, code execution is considered difficult due to modern compiler and glibc protections against use-after-free vulnerabilities (Red Hat Bugzilla).

The vulnerability was fixed in GStreamer version 1.18.4. Users are recommended to upgrade to this version or later. For those using older branches of GStreamer, applying the security patch and recompiling is advised. Multiple Linux distributions have released security updates to address this vulnerability, including Debian (DSA-4900-1) and Gentoo (GLSA 202208-31) (GStreamer Advisory, Gentoo Advisory).