CVE-2024-10466: 
NixOS vulnerability analysis and mitigation

CVE-2024-10466 is a vulnerability discovered in Mozilla Firefox and Thunderbird that affects Firefox versions prior to 132, Firefox ESR versions prior to 128.4, Thunderbird versions prior to 128.4, and Thunderbird versions prior to 132. The vulnerability was disclosed on October 29, 2024, and involves a denial of service condition that can be triggered through push message functionality (Mozilla Advisory).

The vulnerability allows a remote server to cause a denial of service condition by sending a specially crafted push message that can hang the parent process of the browser, making it unresponsive. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network-accessible, requires low attack complexity, and primarily impacts system availability (NVD).

When exploited, the vulnerability can cause the browser or email client to become completely unresponsive by hanging the parent process. This results in a denial of service condition that affects the availability of the application, potentially disrupting user activities and requiring a restart to restore functionality (Mozilla Advisory).

The vulnerability has been fixed in Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132. Users are advised to update their installations to these or later versions to mitigate the risk. The fix was released as part of Mozilla's regular security updates (Mozilla Advisory).