CVE-2023-44488: 
NixOS vulnerability analysis and mitigation

CVE-2023-44488 affects VP9 in libvpx versions before 1.13.1, where it mishandles widths during encoding operations, leading to a crash. The vulnerability was discovered in September 2023 and affects multiple operating systems and distributions including Debian, Red Hat Enterprise Linux, Fedora, and Ubuntu (NVD, Debian Security).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue specifically relates to improper width handling in the VP9 encoding process, which can trigger a crash in the encoding operation. The vulnerability is categorized under CWE-755 (Improper Handling of Exceptional Conditions) (NVD).

The primary impact of this vulnerability is a denial of service condition through application crashes during VP9 video encoding operations. The vulnerability affects the availability of systems using the libvpx library for VP9 encoding, though there are no reported impacts on confidentiality or integrity (Debian Security).

The vulnerability has been fixed in libvpx version 1.13.1. The fix was implemented through a patch that addresses the width handling issue in VP9 encoding. Various distributions have released security updates: Debian has fixed it in version 1.9.0-1+deb11u2 for bullseye and 1.12.0-1+deb12u2 for bookworm, Fedora has released version 1.12.0-4.fc37, and Gentoo recommends upgrading to version 1.13.1 or later (Debian Security, Fedora Update).