CVE-2021-36409: 
NixOS vulnerability analysis and mitigation

CVE-2021-36409 is a vulnerability discovered in libde265 version 1.0.8, an open H.265 video codec implementation. The vulnerability manifests as an assertion failure at sps.cc:925 with the condition 'scalinglistpredmatrixid_delta==1'. This issue was first reported on June 24, 2021, and affects multiple versions of the software across different Linux distributions (GitHub Issue).

The vulnerability occurs in the scaling list prediction matrix handling within the codec's implementation. Specifically, the issue triggers an assertion failure at line 925 in the sps.cc file when processing certain video files. The vulnerability is related to the scalinglistpredmatrixid_delta parameter validation, which expects a specific value of 1 but can receive invalid input (GitHub Issue).

When exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) by running the application with a specially crafted file. The impact occurs when processing malformed video files, causing the application to terminate unexpectedly (Debian LTS).

Multiple Linux distributions have released patches to address this vulnerability. Debian has fixed the issue in version 1.0.3-1+deb10u1 for Debian 10 (Buster) and version 1.0.11-0+deb11u1 for Debian 11 (Bullseye). Ubuntu has also released fixes across multiple versions: Ubuntu 22.04 (1.0.8-1ubuntu0.1), Ubuntu 20.04 (1.0.4-1ubuntu0.2), and Ubuntu 18.04 (1.0.2-2ubuntu0.18.04.1~esm2) (Debian Security, Ubuntu Notice).