CVE-2022-28281: 
NixOS vulnerability analysis and mitigation

CVE-2022-28281 is a high-severity vulnerability discovered in Mozilla products that affects Firefox < 99, Firefox ESR < 91.8, and Thunderbird < 91.8. The vulnerability was discovered by security researcher Axel '0vercl0k' Souchet and disclosed in April 2022 (Mozilla Advisory, NVD).

The vulnerability is an out-of-bounds write vulnerability (CWE-787) that occurs in the WebAuthN Extensions handling. When a compromised content process sends an unexpected number of WebAuthN Extensions in a Register command to the parent process, it can trigger an out-of-bounds write leading to memory corruption. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could lead to memory corruption and a potentially exploitable crash, potentially allowing arbitrary code execution. The vulnerability requires a compromised content process to exploit, limiting its impact to scenarios where an attacker has already achieved some level of control over the browser process (Mozilla Advisory).

The vulnerability was fixed in Firefox 99, Firefox ESR 91.8, and Thunderbird 91.8. Users should update to these versions or later to protect against this vulnerability. The fix involved implementing proper bounds checking for WebAuthN Extensions in the Register command processing (Mozilla Advisory).