CVE-2024-0752: 
NixOS vulnerability analysis and mitigation

CVE-2024-0752 is a use-after-free vulnerability discovered in Mozilla Firefox that affects versions prior to 122. The vulnerability was identified on macOS systems and is specifically related to Firefox's update process. The issue was discovered and reported by Nika Layzell, and was officially disclosed on January 23, 2024 (Mozilla Advisory, NVD).

The vulnerability occurs due to a timeout in the synchronous wait in UpdateDriverSetupMacCommandLine for a dispatch to the main thread. The issue stems from a closure for the runnable that holds references to stack local values, which can lead to a use-after-free condition when the timeout is triggered. The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

If exploited, this vulnerability could result in an exploitable crash of the Firefox browser when an update is being applied on a very busy macOS system. The impact is considered moderate, primarily affecting the availability of the application (Mozilla Advisory).

The vulnerability has been fixed in Firefox version 122. Users are advised to update to this version or later to mitigate the risk. The fix involves modifying the update process to only call SetupMacCommandLine if the browser is restarting (Mozilla Advisory).