CVE-2021-36085: 
NixOS vulnerability analysis and mitigation

CVE-2021-36085 is a security vulnerability discovered in SELinux 3.2's CIL (Common Intermediate Language) compiler. The vulnerability was published on February 20, 2021, and involves a use-after-free issue in the cilverifyclassperms function, which is called from verifymappermclassperms and hashtabmap (OSS-Fuzz Report).

The vulnerability is classified as a heap-use-after-free READ vulnerability that occurs specifically in the _cilverify_classperms function of SELinux's CIL compiler. The issue arises when the compiler attempts to verify class permissions, leading to potential memory corruption. The vulnerability has been assessed as HIGH severity according to the ecosystem-specific metrics (OSV Report).

As a heap-use-after-free vulnerability, CVE-2021-36085 could potentially lead to program crashes or memory corruption. Given its presence in SELinux, a critical security component of Linux systems, the vulnerability could impact the security enforcement mechanisms of affected systems (Debian Tracker).

The vulnerability was fixed in SELinux version 3.3-1 and later releases. The fix involves properly destroying the classperm list when resetting map perms, as implemented in commit 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba (SELinux Commit).