CVE-2023-24757: 
NixOS vulnerability analysis and mitigation

libde265 v1.0.10 was discovered to contain a NULL pointer dereference vulnerability in the put_unweighted_pred_16_fallback function at fallback-motion.cc. The vulnerability was discovered and reported on January 29, 2023, and affects the libde265 library, which is an open-source implementation of the H.265 video codec (GitHub Issue, NVD).

The vulnerability occurs in the put_unweighted_pred_16_fallback function within the fallback-motion.cc file at line 179. The issue manifests as a NULL pointer dereference when attempting to write memory, specifically when processing video data. The vulnerability is triggered when processing specially crafted input files, leading to a segmentation fault (GitHub Issue).

When exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) condition through a specially crafted input file. The impact is primarily focused on service availability, as the NULL pointer dereference causes the application to crash (Debian Security).

The vulnerability has been fixed in subsequent releases. Various distributions have released security updates to address this issue: Debian 10 (Buster) has been fixed in version 1.0.11-0+deb10u4, Ubuntu has released updates for versions 22.04, 20.04, 18.04, and 16.04 ESM. Users are recommended to upgrade their libde265 packages to the patched versions (Debian LTS).