CVE-2022-26386: 
NixOS vulnerability analysis and mitigation

CVE-2022-26386 is a security vulnerability affecting Firefox and Thunderbird on macOS and Linux systems. The issue was discovered when temporary files were being downloaded to /tmp directory instead of a user-specific directory, making them accessible to other local users. This vulnerability was reported by a researcher known as 'attila' and was fixed in Firefox ESR 91.7 and Thunderbird 91.7, released in March 2022 (Mozilla Advisory).

The vulnerability occurred due to a change in behavior where Firefox and Thunderbird would download temporary files directly to the /tmp directory instead of the user-specific directory /tmp/mozilla${USER}0. The original directory had permissions set to 0700, ensuring only the owner could access the files. The change exposed downloaded files to other local users, creating a potential security risk where attackers could predict or monitor file creation ([Mozilla Bug](https://bugzilla.mozilla.org/showbug.cgi?id=1752396)).

The vulnerability has been classified as having a low security impact. It only affects Firefox and Thunderbird installations on macOS and Linux systems, with Windows being unaffected. The main risk is that local users on the same system could access temporary files downloaded by Firefox or Thunderbird, potentially exposing sensitive information (Mozilla Advisory).

The issue was fixed by reverting to the original behavior of storing temporary files in a user-specific directory (/tmp/mozilla_${USER}0) with proper permissions. The fix was implemented in Firefox ESR 91.7 and Thunderbird 91.7. Users should update to these versions or newer to mitigate the vulnerability (Mozilla Advisory).