CVE-2022-23608: 
NixOS vulnerability analysis and mitigation

CVE-2022-23608 is a vulnerability discovered in PJSIP (PJPROJECT), a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. The vulnerability was disclosed in February 2022 and affects versions up to and including 2.11.1. The issue involves a dialog set scenario where a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed (GitHub Advisory).

The vulnerability occurs when in a dialog set (or forking) scenario, where a hash key shared by multiple UAC dialogs can be prematurely freed when one of the dialogs is destroyed. This causes a dialog set to be registered in the hash table multiple times with different hash keys, leading to undefined behavior such as dialog list collision which eventually results in an endless loop. The vulnerability has been assigned a CVSS 3.1 base score of 9.8 (Critical) with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and impact levels (confidentiality, integrity, availability) all rated as High (Ubuntu Security).

The vulnerability can lead to undefined behavior in the system, including dialog list collisions and endless loops. Being a use-after-free vulnerability, it affects all PJSIP users and could potentially lead to system crashes or denial of service conditions (GitHub Advisory).

A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which was included in version 2.12 and later releases. Users are recommended to upgrade to PJSIP version 2.12.1 or later to address this vulnerability. There are no known workarounds for this issue (GitHub Advisory, Gentoo Security).