CVE-2022-26387: 
NixOS vulnerability analysis and mitigation

CVE-2022-26387 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability discovered in Firefox's add-on signature verification process. The vulnerability affects Firefox versions prior to 98, Firefox ESR versions before 91.7, and Thunderbird versions before 91.7. When installing an add-on, Firefox verified the signature before prompting the user, but while the user was confirming the prompt, the underlying add-on file could have been modified without Firefox detecting the change (Mozilla Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 7.5 (High), with attack vector being Network, attack complexity High, requiring user interaction, and having potential High impact on confidentiality, integrity, and availability. The core issue is a TOCTOU violation in the add-on signature verification process, where Firefox would release the file after initial validation but before actual installation, creating a window of opportunity for file tampering (Ubuntu CVE).

The vulnerability could allow an attacker to bypass Firefox's add-on signature verification system. This could potentially lead to the installation of malicious add-ons that would otherwise be blocked by Firefox's security checks. The issue is particularly concerning for local file installations, where the attacker would know the exact file location, though it also affects web-based installations through temporary file manipulation (Mozilla Bug).

The vulnerability was fixed in Firefox 98, Firefox ESR 91.7, and Thunderbird 91.7. The fix involves verifying the XPI content immediately before installation, after copying the file from its original location to a staging directory. This ensures that any tampering with the original file between initial verification and installation would be detected (Mozilla Bug).