CVE-2021-38575: 
NixOS vulnerability analysis and mitigation

NetworkPkg/IScsiDxe has remotely exploitable buffer overflows, identified as CVE-2021-38575. The vulnerability was discovered and recorded on August 11, 2021, affecting EDK2 firmware and Insyde Software's kernel versions 5.0 through 5.5. This high-severity vulnerability received a CVSS v3.1 base score of 8.1 (NVD).

The vulnerability is classified as an Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) and Buffer Underwrite (CWE-124). It has a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it is network-accessible, requires high attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD, Insyde Advisory).

The vulnerability can lead to high impacts on system confidentiality, integrity, and availability through remote exploitation. The buffer overflow vulnerability in the IScsiHexToBin function within NetworkPkg/IScsiDxe could allow remote attackers to potentially execute arbitrary code or cause system crashes (NVD).

Insyde Software has released fixes for affected kernel versions: Version 05.0A.11 for Kernel 5.0, Version 05.18.09 for Kernel 5.1, Version 05.28.05 for Kernel 5.2, Version 05.37.05 for Kernel 5.3, Version 05.43.42 for Kernel 5.4, and Version 05.51.42 for Kernel 5.5 (Insyde Advisory).