CVE-2021-4115: 
NixOS vulnerability analysis and mitigation

A vulnerability in polkit (CVE-2021-4115) was discovered that allows an unprivileged user to cause polkit to crash due to process file descriptor exhaustion. The vulnerability was disclosed in February 2022 and affects various Linux distributions including Red Hat Enterprise Linux, Fedora, Ubuntu, and Debian systems running polkit (NVD, Red Hat).

The vulnerability is caused by a file descriptor leak in polkit that can lead to process file descriptor exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability requires local access and low privileges to exploit. The duration of the polkit process outage is tied to the failing process being reaped and a new one being spawned (NVD, GitHub Security Lab).

The primary impact of this vulnerability is on system availability. When successfully exploited, it can cause the polkit service to crash, potentially disrupting system operations that depend on polkit for privilege escalation and authorization. The highest threat from this vulnerability is to system availability, with no direct impact on confidentiality or integrity (NVD).

Patches have been released by various vendors to address this vulnerability. Red Hat has released updates for affected versions, and similar patches have been made available through other distribution channels. Users are advised to update their systems to the patched versions of polkit (Red Hat, Fedora).