CVE-2024-1580: 
NixOS vulnerability analysis and mitigation

CVE-2024-1580 is an integer overflow vulnerability discovered in the dav1d AV1 decoder that affects video processing with large frame sizes. The vulnerability was disclosed on February 19, 2024, and affects multiple platforms including Apple's operating systems and the VideoLAN dav1d decoder. The issue was identified by Nick Galloway of Google Project Zero (NVD).

The vulnerability is classified as an integer overflow (CWE-190) that can occur when decoding videos with large frame sizes, potentially leading to memory corruption within the AV1 decoder. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) from NIST NVD, while Google Inc. assessed it with a score of 5.9 (MEDIUM). The vulnerability manifests as an out-of-bounds write issue that was later addressed through improved input validation (NVD).

The vulnerability can lead to arbitrary code execution when processing images or videos. This poses a significant security risk as successful exploitation could allow attackers to execute malicious code on affected systems through specially crafted media files (Apple Security).

The vulnerability has been patched in dav1d version 1.4.0 and later. Apple has released security updates for affected systems: iOS 17.4.1, iPadOS 17.4.1, iOS 16.7.7, iPadOS 16.7.7, macOS Sonoma 14.4.1, macOS Ventura 13.6.6, Safari 17.4.1, and visionOS 1.1.1. Users are recommended to update to these latest versions to mitigate the vulnerability (Fedora Update, Apple Security).