CVE-2021-40985: 
NixOS vulnerability analysis and mitigation

CVE-2021-40985 is a security vulnerability discovered in HTMLDOC software versions before 1.9.12. The vulnerability was disclosed on November 3, 2021, and affects the image processing functionality of the software. Specifically, it involves a stack-based buffer under-read vulnerability that occurs when processing BMP images through the imageloadbmp function (NVD, CVE).

The vulnerability is classified as a stack-based buffer under-read issue with a CVSS v3.1 Base Score of 5.5 (Medium). The attack vector is Local (L), with Low attack complexity (L), requiring No privileges (N) and User interaction (R). The scope is Unchanged (U), with No impact on confidentiality (N) and integrity (N), but High impact on availability (H). The complete vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (Ubuntu).

When exploited, the vulnerability allows attackers to cause a denial of service condition through a specially crafted BMP image sent to the imageloadbmp function. This can result in application crashes or service disruptions (NVD).

The vulnerability was patched in HTMLDOC version 1.9.12. Users are advised to upgrade to this version or later. The fix includes additional validation checks for image dimensions and proper handling of BMP file processing (GitHub Commit). Various Linux distributions have also released security updates to address this vulnerability, including Ubuntu and Debian (Debian Advisory).