CVE-2023-46246: 
NixOS vulnerability analysis and mitigation

CVE-2023-46246 is a security vulnerability discovered in Vim, an improved version of the UNIX editor Vi. The vulnerability was disclosed on October 26, 2023, and affects versions up to (excluding) 9.0.2068. The issue involves a heap-use-after-free vulnerability in memory allocated in the function ga_grow_inner in the file src/alloc.c, which is freed in src/ex_docmd.c and then used again in src/cmdhist.c (GitHub Advisory).

The vulnerability occurs when using the :history command, where the provided argument can overflow the accepted value, causing an Integer Overflow and potentially leading to a use-after-free condition. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on system availability (NVD).

The primary impact of this vulnerability is on system availability, potentially leading to a denial of service (DoS) condition. The vulnerability has been rated as having a moderate severity impact, as it requires local access and does not affect confidentiality or integrity of the system (GitHub Advisory, NetApp Advisory).

The vulnerability has been patched in Vim version 9.0.2068. Users are advised to upgrade to this version or later to address the security issue. The fix involves adding checks to ensure that the return value from the vimstr2nr() function is not larger than INTMAX (GitHub Patch).

Various Linux distributions and software vendors have responded to this vulnerability by releasing security updates. Fedora has released updates for versions 38 and 39 to address this vulnerability, and NetApp has issued an advisory for their affected products (Fedora Update, NetApp Advisory).