CVE-2022-47665: 
NixOS vulnerability analysis and mitigation

Libde265 version 1.0.9 contains a heap buffer overflow vulnerability in the de265image::setSliceAddrRS(int, int, int) function. The vulnerability was discovered in December 2022 and was assigned CVE-2022-47665. This security flaw affects the open H.265 video codec implementation (NVD, Ubuntu).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write). The issue occurs specifically in the setSliceAddrRS function of the de265image class, where a heap buffer overflow can be triggered during video decoding operations (NVD).

If successfully exploited, this vulnerability could allow an attacker to cause a denial of service condition or potentially execute arbitrary code. The attack requires user interaction, such as opening a specially crafted file, but does not require special privileges to execute (Ubuntu Notice).

The vulnerability has been fixed in multiple distributions. Ubuntu has released patches for various versions: Ubuntu 22.04 LTS (1.0.8-1ubuntu0.2), Ubuntu 20.04 LTS (1.0.4-1ubuntu0.3), Ubuntu 18.04 ESM (1.0.2-2ubuntu0.18.04.1~esm3), and Ubuntu 16.04 ESM (1.0.2-2ubuntu0.16.04.1~esm3). Users are advised to update their systems to the latest available versions (Ubuntu Notice).