CVE-2021-40164: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2021-40164) was identified in Autodesk's Image Processing component. The vulnerability affects multiple Autodesk products including AutoCAD, Revit, Inventor, and Navisworks across versions 2019-2022. The vulnerability was disclosed on October 7, 2022, and could be exploited when parsing TIFF, PICT, TGA, or RLC files (Autodesk Advisory).

The vulnerability is classified as a heap-based buffer overflow (CWE-787) that occurs during the parsing of TIFF, PICT, TGA, or RLC files. It has a CVSS v3.1 base score of 7.8 (High), with the following vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates local attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality, integrity, and availability (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system. The vulnerability affects multiple critical Autodesk products including AutoCAD, Revit, Civil 3D, Inventor, and Navisworks, potentially impacting a wide range of engineering and design professionals (Autodesk Advisory).

Autodesk has released patches for affected products. Users should update to the following versions: AutoCAD (2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4), Revit (2022.1.1, 2021.1.5, 2020.2.6, 2019.2.4), Inventor (2022.2, 2021.4, 2020.5, 2019.6), and Navisworks (2022.2, 2021.4, 2020.5, 2019.7). Updates can be installed via the Autodesk Desktop App or Accounts Portal (Autodesk Advisory).