CVE-2022-1097: 
NixOS vulnerability analysis and mitigation

CVE-2022-1097 is a high-severity use-after-free vulnerability discovered in Mozilla products. The vulnerability was identified in NSSToken objects that were referenced via direct pointers and could be accessed unsafely across different threads. This security flaw affects multiple Mozilla products including Firefox versions prior to 99, Firefox ESR versions before 91.8, and Thunderbird versions before 91.8. The vulnerability was discovered by Randell Jesup and publicly disclosed on April 5, 2022 (Mozilla Advisory).

The vulnerability stems from NSSToken objects being referenced through direct pointers that could be accessed in an unsafe manner across different threads. This improper handling of references could lead to a use-after-free condition when the reference count for slot->nssToken is decremented to 0 in another thread. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

The vulnerability could result in a potentially exploitable crash due to memory corruption. In Firefox, the crash occurs in the parent process, though not directly in response to client-side actions. While the exact location of the use-after-free is not immediately obvious, the vulnerability could potentially be exploited to run arbitrary code with enough effort (Mozilla Advisory, Mozilla Advisory ESR).

The vulnerability was addressed in Firefox 99, Firefox ESR 91.8, and Thunderbird 91.8. The fix involved making PK11Slot_GetNSSToken thread-safe and implementing proper reference counting for NSSToken objects. Users are advised to upgrade to these versions or later to mitigate the vulnerability (Mozilla Advisory).