CVE-2022-1041: 
NixOS vulnerability analysis and mitigation

CVE-2022-1041 is a vulnerability discovered in the Zephyr bluetooth mesh core stack that can be triggered during provisioning. The vulnerability was disclosed on July 25, 2022, affecting Zephyr versions up to and including 3.0.0. This out-of-bounds write vulnerability exists due to insufficient validation of SegN and TotalLength parameters in Transaction Start PDU (Zephyr Advisory).

The vulnerability stems from a missing check for mismatched SegN and TotalLength in Transaction Start PDU within the genprovstart function. For instance, a TotalLength of 65 with SegN 62 is incorrectly accepted as valid, when SegN should only be 2 for this TotalLength. This allows attackers to bypass the SegO and SegN validation in Transaction Continue PDU by sending malformed Transaction Start PDU. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating adjacent network attack vector with no privileges or user interaction required (NVD).

When exploited, this vulnerability can lead to out-of-bounds write operations when a Transaction Continue PDU with an oversized SegO (larger than 2) is processed. This can result in high impact on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed through multiple patches: main branch via PR #45136, v3.0 via PR #45188, and v2.7 via PR #45187 (Zephyr Advisory).