CVE-2022-1286: 
NixOS vulnerability analysis and mitigation

A heap-buffer-overflow vulnerability was discovered in the mrb_vm_exec function within mruby/mruby GitHub repository, affecting versions prior to 3.2. The vulnerability was assigned CVE-2022-1286 and was disclosed on April 9, 2022. This security flaw affects the mruby implementation, which is an open-source implementation of the Ruby programming language (NVD, CVE).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) and out-of-bounds write (CWE-787). According to the National Vulnerability Database, it received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. However, huntr.dev assessed it with a lower CVSS score of 5.9 (MEDIUM) with vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability could potentially lead to arbitrary code execution if successfully exploited. Given the critical CVSS score from NVD, this indicates that the vulnerability could result in complete compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability was patched in mruby version 3.2. Users are advised to upgrade to this version or later to mitigate the risk. A fix was implemented through a commit that addresses the heap-buffer-overflow issue (GitHub Patch).