CVE-2023-26253: 
NixOS vulnerability analysis and mitigation

A stack-based buffer over-read vulnerability was discovered in GlusterFS 11.0, specifically in the xlators/mount/fuse/src/fuse-bridge.c notify function. The vulnerability was assigned CVE-2023-26253 and was publicly disclosed on February 20, 2023 (NVD).

The vulnerability occurs in the notify() function where there is an improper handling of event notifications. The bug is triggered when the callback function client_cbk_inodelk_contention is called. The issue stems from a data type conversion where a stack variable of type struct gf_upcall (40 bytes) is converted to glusterfs_graph_t, leading to a buffer overflow read when accessing graph->id at the 52nd byte (GitHub Issue). The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (High) (Ubuntu Security).

The primary impact of this vulnerability is a potential denial of service condition. When exploited, the stack-based buffer over-read can cause the application to crash, affecting the availability of the GlusterFS service (Red Hat CVE).

Multiple vendors have released patches to address this vulnerability. Ubuntu has provided fixes for various versions: 10.3-4ubuntu0.1 for lunar, 10.2-1ubuntu0.1 for kinetic, and 10.1-1ubuntu0.1 for jammy. Fedora has released version 10.4-1.fc37 to address this issue (Fedora Update).