CVE-2022-1297: 
NixOS vulnerability analysis and mitigation

Out-of-bounds Read vulnerability (CVE-2022-1297) was discovered in the r_bin_ne_get_entrypoints function in GitHub repository radareorg/radare2 versions prior to 5.6.8. The vulnerability was disclosed on April 11, 2022, affecting the Radare2 reverse engineering framework (NVD).

The vulnerability stems from improper validation of user-supplied data in the r_bin_ne_get_entrypoints function, which can result in a read past the end of an allocated buffer. The issue involves unaligned casts in the NE entrypoint logic. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) by NIST, while huntr.dev assessed it with a CVSS score of 6.6 MEDIUM (NVD).

This vulnerability could allow attackers to read sensitive information or cause a crash in the affected system. The out-of-bounds read condition potentially exposes sensitive data from memory locations that should not be accessible (NVD).

The vulnerability has been fixed in Radare2 version 5.6.8 and later. The fix includes proper bounds checking and the use of r_read_le16 for safe reading of 16-bit values, replacing direct unaligned memory access (GitHub Commit).