CVE-2023-26157: 
NixOS vulnerability analysis and mitigation

CVE-2023-26157 affects versions of the package libredwg before 0.12.5.6384. The vulnerability was discovered in September 2023 and officially published on January 2, 2024. This security flaw exists in the decode_r2007.c file of the libredwg package, specifically involving an out-of-bounds read vulnerability in the section->num_pages component (NVD, CVE).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) and Uncontrolled Resource Consumption (CWE-400) issue. It has received a CVSS v3.1 base score of 7.5 (HIGH) from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while Snyk assessed it with a score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Snyk Advisory).

The vulnerability can lead to a Denial of Service (DoS) condition through an out-of-bounds read operation. When exploited, it can cause a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component (Snyk Advisory).

The vulnerability has been patched in libredwg version 0.12.5.6384. The fix involves resetting invalid section->num_pages values to prevent out-of-bounds reads (GitHub Patch).