CVE-2023-41910: 
NixOS vulnerability analysis and mitigation

CVE-2023-41910 is a vulnerability discovered in lldpd before version 1.0.17. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. This vulnerability occurs in the cdp_decode function in daemon/protocols/cdp.c. The vulnerability was discovered by Matteo Memelli and was disclosed in September 2023 (Debian Security, NIST NVD).

The vulnerability is caused by an out-of-bounds read vulnerability in the CDP address parsing functionality within lldpd. The issue specifically occurs in the cdp_decode function located in daemon/protocols/cdp.c. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network accessibility and no required privileges or user interaction (NIST NVD).

The exploitation of this vulnerability could lead to a denial of service condition through memory corruption. When successfully exploited, an attacker can force the lldpd daemon to perform an out-of-bounds read on heap memory, potentially causing system instability or crashes (Debian Security).

The vulnerability has been fixed in lldpd version 1.0.17. Users are strongly recommended to upgrade to this version or later. For specific distributions: Debian 10 (buster) users should upgrade to version 1.0.3-1+deb10u2, Debian 11 (bullseye) users should upgrade to version 1.0.11-1+deb11u2, and Debian 12 (bookworm) users should upgrade to version 1.0.16-1+deb12u1 (Debian LTS, Debian Security).