CVE-2021-42785: 
NixOS vulnerability analysis and mitigation

Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allows a remote attacker to execute arbitrary instructions via a crafted FramebufferUpdate packet from a VNC server. The vulnerability was discovered by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) and was assigned CVE-2021-42785 on October 21, 2021. This vulnerability affects TightVNC versions up to and including 2.8.59 (NVD).

The vulnerability is classified as a Classic Buffer Overflow (CWE-120) where the application fails to check input size during buffer copy operations. It received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impact to confidentiality, integrity, and availability (NVD).

The vulnerability allows remote attackers to execute arbitrary code on the target system running TightVNC Viewer. Given the CVSS score of 9.8, successful exploitation could lead to complete system compromise, allowing attackers to gain full control over the affected system (NVD).

Users should upgrade to a version newer than TightVNC 2.8.59. The vulnerability was addressed in subsequent releases as indicated in the TightVNC changelog (TightVNC Changelog).