CVE-2022-22763: 
NixOS vulnerability analysis and mitigation

CVE-2022-22763 is a security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that affects versions Firefox < 96, Firefox ESR < 91.6, and Thunderbird < 91.6. The vulnerability was reported by the Mozilla Fuzzing Team and was disclosed in February 2022. It involves a script execution issue during worker shutdown, where code could run at an invalid point in the lifecycle (Mozilla Advisory).

The vulnerability occurs when a worker is shutdown, allowing script execution late in the lifecycle at a point where it should not be possible. The issue specifically involves a situation where a worker begins shutdown, triggering a WeakWorkerRef notification and stream closure, but additional JavaScript execution attempts occur during this shutdown process. This can lead to assertion failures and potential memory corruption issues. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability is rated as having a moderate security impact. While it primarily results in assertion failures and potential crashes, it represents an invariant violation that could potentially be chained with other vulnerabilities. The issue affects script execution timing during worker shutdown, which could lead to unexpected behavior and potential security implications (Red Hat Advisory).

The vulnerability was fixed in Firefox 96, Firefox ESR 91.6, and Thunderbird 91.6. Users are advised to upgrade to these versions or later to mitigate the vulnerability. The fix involves improving checks for script execution during worker shutdown and implementing proper handling of worker lifecycle states (Mozilla Advisory).