CVE-2024-0745: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2024-0745) is a stack buffer overflow in the WebAudio OscillatorNode object discovered in Mozilla Firefox versions prior to 122. The flaw was reported by Yangkang of 360 ATA Team and was disclosed on January 23, 2024. This security issue affected Firefox browsers across multiple platforms (Mozilla Advisory, NVD).

The vulnerability is classified as a stack buffer overflow vulnerability in the WebAudio OscillatorNode object's implementation. It received a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw was introduced in Firefox 119 through a regression and involves missing boundary checks for ticks + start, detune + start, and end - start parameters (Mozilla Bug).

The vulnerability could lead to a potentially exploitable crash when triggered. The stack buffer overflow condition could allow an attacker to corrupt memory, though the immediate impact was primarily limited to denial of service. The high CVSS score indicates potential for significant impact on confidentiality, integrity, and availability of the affected system (NVD, Mozilla Advisory).

The vulnerability was fixed in Firefox 122.0. Users are advised to upgrade to Firefox version 122 or later to receive the security patch. The fix involves implementing additional checks to ensure the OscillatorNode produces silence if the stop time is before the start time, similar to existing behavior in ConstantSourceNode (Mozilla Advisory).