CVE-2021-36087: 
NixOS vulnerability analysis and mitigation

The CIL compiler in SELinux 3.2 contains a heap-based buffer over-read vulnerability in the ebitmapmatchany function, which is called indirectly from cilcheckneverallow. This vulnerability occurs due to insufficient validation of invalid statements within optional blocks (Debian Tracker, Ubuntu Security).

The vulnerability stems from a situation where nodes could be copied from an optional block to somewhere outside, even though the optional block could be disabled later. When optional blocks are disabled, the AST (Abstract Syntax Tree) is reset and resolution restarts at the point of resolving macro calls. The issue specifically manifests as a heap-based buffer over-read in the ebitmapmatchany function when processing invalid statements in optional blocks (OSS Fuzz). The vulnerability has been assigned a CVSS score of 3.3 (Low), with local attack vector, low attack complexity, and low privileges required (Ubuntu Security).

The vulnerability can lead to a heap-based buffer over-read condition, potentially causing application crashes or information disclosure. The impact is considered low severity as it requires local access and only affects the availability of the system without compromising confidentiality or integrity (Ubuntu Security).

The vulnerability was fixed in SELinux commit 340f0eb7f3673e8aacaf0a96cbfcd4d12a405521, which implements checks for statements not allowed in optional blocks. The fix prevents tunable declarations, in-statements, blocks, blockabstracts, and macro definitions from being placed within optional blocks during both building and resolving of the AST (SELinux Commit).