CVE-2023-49462: 
NixOS vulnerability analysis and mitigation

CVE-2023-49462 is a vulnerability discovered in libheif version 1.17.5, specifically affecting the component /libheif/exif.cc. The vulnerability was disclosed on December 7, 2023, and involves a segmentation violation in the software (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, but does require user interaction. The impact affects confidentiality, integrity, and availability, all with high severity (NVD).

The vulnerability can lead to a segmentation violation, which could potentially result in program crashes and possible remote code execution. The high CVSS score indicates severe potential impacts on system confidentiality, integrity, and availability (Ubuntu).

Multiple distributions have released fixes for this vulnerability. Ubuntu has fixed the issue in version 1.16.2-2ubuntu1.1 for the 23.10 (mantic) release. Debian has addressed the vulnerability in various releases including bullseye (1.11.0-1+deb11u2) and bookworm (1.15.1-1+deb12u1). The issue has been fixed in version 1.17.6 of libheif (Debian).