CVE-2022-35166: 
NixOS vulnerability analysis and mitigation

libjpeg commit 842c7ba was discovered to contain an infinite loop vulnerability in the component JPEG::ReadInternal. The vulnerability was discovered and reported on June 26, 2022, and was assigned CVE-2022-35166. This vulnerability affects the libjpeg library, which is a widely used image processing software (MITRE CVE, Ubuntu Security).

The vulnerability occurs in the JPEG::ReadInternal function when processing certain JPEG files. Specifically, when a marker equals 0xffd9, ParseFrameHeader returns NULL, which initializes mpCurrent with NULL. Due to mbReceivedFrameHeader being set to true afterward, subsequent calls to StartParseFrame continue returning m_pCurrent=NULL, resulting in an infinite loop in JPEG::ReadInternal. The vulnerability has been assigned a CVSS 3.1 score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (GitHub Issue, Ubuntu Security).

The vulnerability primarily affects system availability through a denial of service condition caused by the infinite loop. When exploited, it can cause the application to hang, consuming system resources. The CVSS scoring indicates high impact on availability while having no direct impact on confidentiality or integrity (Ubuntu Security).

The vulnerability affects multiple versions of libjpeg, including those in Debian distributions such as bullseye, bookworm, and sid/trixie. As of the latest reports, the vulnerability remains unfixed in some distributions, though it has been noted as having unimportant urgency due to it being primarily a hang in the CLI tool without significant security impact (Debian Security).