CVE-2023-3600: 
NixOS vulnerability analysis and mitigation

CVE-2023-3600 is a high-severity use-after-free vulnerability discovered in Mozilla products. The vulnerability affects Firefox versions prior to 115.0.2, Firefox ESR versions prior to 115.0.2, and Thunderbird versions prior to 115.0.1. The issue was discovered by Andrew McCreight and disclosed in July 2023 (Mozilla Advisory).

The vulnerability occurs during the worker lifecycle where a use-after-free condition could arise, potentially leading to an exploitable crash. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-416 (Use After Free) (NVD).

If exploited, this vulnerability could lead to a potentially exploitable crash, which might allow attackers to execute arbitrary code. Given the high CVSS score and the critical nature of use-after-free vulnerabilities, successful exploitation could potentially compromise affected systems (Mozilla Advisory).

The vulnerability has been patched in Firefox 115.0.2, Firefox ESR 115.0.2, and Thunderbird 115.0.1. Users are advised to update their installations to these versions or newer to mitigate the risk. The fix involved moving worker creation into an Init() method to prevent the use-after-free condition (Mozilla Advisory).