CVE-2023-4576: 
NixOS vulnerability analysis and mitigation

CVE-2023-4576 is a high-severity vulnerability discovered in Mozilla Firefox's RecordedSourceSurfaceCreation functionality. The vulnerability was disclosed on August 29, 2023, affecting Firefox versions prior to 117, Firefox ESR versions prior to 102.15 and 115.2, and Thunderbird versions prior to 102.15 and 115.2. This security flaw specifically impacts Windows systems, while other operating systems remain unaffected (Mozilla Advisory).

The vulnerability stems from an integer overflow condition in the RecordedSourceSurfaceCreation function, which subsequently leads to a heap buffer overflow. This technical issue has been assigned a CVSS v3.1 base score of 8.6 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

The exploitation of this vulnerability could result in the leakage of sensitive data from the GPU process to the content process, potentially leading to a sandbox escape. The impact is particularly significant as it could compromise the security boundaries between different processes in the browser (Mozilla Advisory).

Mozilla has addressed this vulnerability by implementing additional validation in RecordedSourceSurfaceCreation. The fix was released in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2. Users are strongly advised to update to these or later versions to mitigate the risk (Mozilla Advisory).