CVE-2022-40960: 
NixOS vulnerability analysis and mitigation

CVE-2022-40960 is a high-severity vulnerability discovered in Mozilla Firefox's URL parser implementation. The vulnerability was reported by Armin Ebert and fixed in Firefox 105 and Firefox ESR 102.3, released on September 20, 2022. The issue affects Firefox's handling of non-UTF-8 URLs in concurrent thread operations (Mozilla Advisory).

The vulnerability stems from a thread-safety issue in the URL parser when handling non-UTF-8 data. Specifically, the concurrent use of the URL parser with non-UTF-8 data was not thread-safe, which could trigger a use-after-free condition. The issue manifests when parsing javascript: URI strings with a non-UTF-8 charset parameter, particularly during worker thread creation (Mozilla Bug).

The vulnerability is rated as high severity and could lead to a use-after-free condition causing a potentially exploitable crash. This could potentially allow attackers to execute arbitrary code on affected systems. The issue affects multiple Mozilla products including Firefox, Firefox ESR, and Thunderbird (Mozilla Advisory).

The vulnerability was fixed in Firefox 105, Firefox ESR 102.3, and Thunderbird 102.3. The fix involved making the nsTextToSubURI::UnEscapeNonAsciiURI function static to prevent thread-safety issues. Users are advised to upgrade to these versions or later to mitigate the vulnerability (Mozilla Advisory).