CVE-2023-6856: 
NixOS vulnerability analysis and mitigation

The WebGL DrawElementsInstanced method was found to be vulnerable to a heap buffer overflow when used on systems with the Mesa VM driver. This vulnerability, tracked as CVE-2023-6856, was discovered in December 2023 and affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121 (Mozilla Advisory, NVD).

The vulnerability is classified as a heap buffer overflow in the WebGL DrawElementsInstanced method specifically when running on systems using the Mesa VM driver. The issue has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high severity vulnerability that requires user interaction but no privileges for exploitation (NVD).

This vulnerability could allow an attacker to perform remote code execution and sandbox escape, potentially compromising the security of the affected system. The high CVSS score reflects the serious potential impact, with possible consequences including unauthorized code execution and escape from browser security controls (Mozilla Advisory).

The vulnerability has been patched in Firefox 121.0, Firefox ESR 115.6, and Thunderbird 115.6. Users are strongly advised to upgrade to these or later versions to mitigate the risk. Various Linux distributions have also released security updates to address this vulnerability, including Debian, Ubuntu, and Red Hat (Debian Advisory, Ubuntu Security, Red Hat Advisory).