CVE-2020-6807: 
NixOS vulnerability analysis and mitigation

CVE-2020-6807 is a high-severity use-after-free vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird browsers. The vulnerability was disclosed on March 10, 2020, and affects Firefox versions prior to 74.0, Firefox ESR versions prior to 68.6.0, and Thunderbird versions prior to 68.6.0 (Mozilla Advisory).

The vulnerability occurs when a device is changed while a stream is about to be destroyed, causing the stream-reinit task to potentially execute after the stream has been destroyed. This leads to a use-after-free condition in the cubeb audio processing component, which could result in a potentially exploitable crash. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow an attacker to cause memory corruption and potentially execute arbitrary code on the affected system. The high severity rating indicates that successful exploitation could lead to significant compromise of the system's confidentiality, integrity, and availability (Mozilla Advisory).

The vulnerability has been fixed in Firefox 74.0, Firefox ESR 68.6.0, and Thunderbird 68.6.0. Users are advised to update to these versions or later to mitigate the risk. For Ubuntu users, security updates have been released for Ubuntu 19.10 and 18.04 ESM (thunderbird 1:68.7.0+build1-0ubuntu0.19.10.1 and 1:68.7.0+build1-0ubuntu0.18.04.1 respectively) (Ubuntu Advisory).