CVE-2023-26314: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2023-26314) affects the mono package before version 6.8.0.105+dfsg-3.3 for Debian. The issue allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter. This vulnerability was discovered in October 2020 and was publicly disclosed in February 2023 (Debian Bug, OSS Security).

The vulnerability has a CVSS 3.1 Base Score of 8.8 (High), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, User interaction Required, Unchanged scope, and High impact on Confidentiality, Integrity, and Availability. The technical issue stems from the mono-runtime-common package associating the application/x-ms-dos-executable MIME type with the Mono CLR interpreter without proper sandboxing (Ubuntu CVE).

The vulnerability enables attackers to trigger arbitrary code execution through various programs such as Chromium, Firefox, and Thunderbird when the Mono packages are installed. The impact is particularly severe as it can be exploited through normal 'open a document' actions, including following web links to downloadable files, opening email attachments, or following file:/// links in non-web formats (OSS Security).

The vulnerability has been fixed in mono version 6.8.0.105+dfsg-3.3 for Debian testing and sid, and Ubuntu Lunar (23.04). For Debian 10 (buster), the fix is available in version 5.18.0.240+dfsg-3+deb10u1. Users are recommended to upgrade their mono packages to these fixed versions (Debian LTS).