CVE-2021-36408: 
NixOS vulnerability analysis and mitigation

A heap-use-after-free vulnerability was discovered in libde265 version 1.0.8, specifically in the intrapred.h file when decoding files using dec265. The vulnerability was identified and assigned CVE-2021-36408, with its initial discovery reported on June 23, 2021 (GitHub Issue).

The vulnerability manifests as a heap-use-after-free error occurring in the intra_border_computer::fill_from_image() function within intrapred.h at line 552. The issue involves a READ operation of size 4 bytes at a memory location that has been previously freed. This vulnerability was confirmed through testing with Address Sanitizer (ASAN) on Ubuntu 20.04.1 using both clang 10.0.0 and gcc 9.3.0 compilers (GitHub Issue).

If exploited, this vulnerability could potentially lead to denial of service (DoS) or arbitrary code execution when a user or automated system is tricked into opening a specially crafted file (Broadcom Support).

The vulnerability has been fixed in multiple distributions: Ubuntu 22.04 LTS (jammy) with version 1.0.8-1ubuntu0.1, Ubuntu 20.04 LTS (focal) with version 1.0.4-1ubuntu0.1, and Debian Bullseye with version 1.0.11-0+deb11u1. Users are recommended to upgrade their libde265 packages to these patched versions (Debian Security).