CVE-2023-4046: 
NixOS vulnerability analysis and mitigation

CVE-2023-4046 is a security vulnerability discovered in Mozilla Firefox's WebAssembly (WASM) implementation. The vulnerability was disclosed on August 1, 2023, affecting Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. The issue occurs when a stale value could be used for a global variable in WASM JIT analysis, resulting in incorrect compilation and a potentially exploitable crash in the content process (Mozilla Advisory).

The vulnerability stems from an alias analysis bug in Firefox's JavaScript engine. The alias analyser ignores the last instruction in every block, which previously was acceptable as no block-ending instruction read or wrote memory. However, with the introduction of WASM exceptions and MWasmCallCatchable as a block terminator instruction that can modify memory, this assumption was broken. The issue specifically occurs when the analyser fails to process the last instruction in a block, leading to incorrect optimization of global variable values (Mozilla Bug).

The vulnerability can result in incorrect compilation of WebAssembly code under specific circumstances, potentially leading to crashes in the content process. While the bug affects the compilation process, it primarily impacts applications using WebAssembly with exception handling features, such as certain web-based emulators and potentially Adobe Photoshop's web version (Mozilla Advisory).

The vulnerability has been fixed in Firefox 116, Firefox ESR 102.14, and Firefox ESR 115.1. The fix involves modifying the alias analyser to process the last instruction in blocks and updating the alias set handling for specific instructions to prevent performance regressions. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Debian Advisory).