CVE-2023-6859: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2023-6859) was discovered that affects TLS socket creation when under memory pressure. This vulnerability impacts Firefox ESR versions before 115.6, Thunderbird versions before 115.6, and Firefox versions before 121 (Mozilla Advisory, NVD).

The vulnerability is classified as a use-after-free condition (CWE-416) that specifically affects the PR_GetIdentitiesLayer function during TLS socket creation under memory pressure conditions. The issue has been assigned a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity (NVD).

The vulnerability could potentially lead to remote code execution due to memory corruption. The high CVSS score indicates that successful exploitation could result in significant impacts to confidentiality, integrity, and availability of the affected system (Mozilla Advisory).

The vulnerability has been fixed in Firefox ESR 115.6, Thunderbird 115.6, and Firefox 121. Users are strongly recommended to upgrade to these versions or later. Multiple Linux distributions have also released security updates to address this vulnerability, including Debian and Gentoo (Debian Advisory, Gentoo Advisory).