CVE-2023-26819: 
NixOS vulnerability analysis and mitigation

cJSON 1.7.15 contains a vulnerability that might allow a denial of service through a crafted JSON document. The issue was assigned CVE-2023-26819 and was discovered in early 2023. The vulnerability affects cJSON library version 1.7.15 and potentially earlier versions, impacting systems that use this JSON parsing library (CVE Details, Red Hat).

The vulnerability is classified as an Expected Behavior Violation (CWE-440). According to the JSON specification, a parser must accept all texts that conform to the JSON grammar. However, cJSON fails to properly parse certain valid JSON documents, specifically when handling large numeric values. The vulnerability can be triggered with a specially crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}. The CVSS v3.1 base score is 2.9 (Low) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub POC, CVE Details).

The vulnerability can lead to unexpected errors, such as data out-of-sync in communications or invalid data processing. When exploited, it could cause denial of service conditions in applications using the affected cJSON library. The impact is considered low due to the limited scope of the vulnerability and the requirement for local access (GitHub POC).

According to Red Hat, mitigation options are either not available or do not meet their Product Security criteria for ease of use, deployment, and stability. The fix status is marked as 'deferred' for various Red Hat products including Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat OpenShift Container Platform 4, and Red Hat Satellite 6 (Red Hat).