CVE-2021-46022: 
NixOS vulnerability analysis and mitigation

CVE-2021-46022 is a Use-After-Free vulnerability discovered in GNU Recutils version 1.8.90, specifically in the rec_mset_elem_destroy() function at rec-mset.c. The vulnerability was disclosed in December 2021 and affects the core functionality of the GNU Recutils package, which is used for accessing text-based databases called recfiles (GNU Bug Report).

The vulnerability occurs in the rec_mset_elem_destroy() function at line 83 of rec-mset.c, where improper memory handling leads to a use-after-free condition. The CVSS v3.1 base score is 5.5 (Medium), with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability requires local access and user interaction to be exploited (NVD).

When exploited, this vulnerability can lead to a segmentation fault and application crash, potentially causing a denial of service condition. The impact is primarily focused on availability, with no direct impact on confidentiality or integrity of the system (GNU Bug Report).

The vulnerability has been fixed in subsequent releases. Various Linux distributions have released security updates to address this issue. Ubuntu has provided fixes through Ubuntu Pro for versions 22.04 LTS, 20.04 LTS, 18.04 LTS, and 16.04 LTS. Fedora has also released updates for versions 35 and 36 (Ubuntu Security, Fedora Update).