CVE-2024-11691: 
NixOS vulnerability analysis and mitigation

CVE-2024-11691 is a high-severity vulnerability discovered in WebGL operations affecting Apple silicon M series devices. The vulnerability was disclosed on November 26, 2024, and affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. The vulnerability was discovered by researchers Dohyun Lee, Youngho Choi, and Geumhwan Cho from Korea University (Mozilla Advisory).

The vulnerability is classified as an out-of-bounds write vulnerability (CWE-787) that could lead to memory corruption due to a flaw in Apple's GPU driver. The issue specifically affects WebGL operations on Apple M series hardware, while other platforms remain unaffected. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to memory corruption and potential arbitrary code execution through out-of-bounds write operations. The high CVSS score indicates that successful exploitation could result in significant impacts to confidentiality, integrity, and availability of the affected systems (Mozilla Advisory).

The vulnerability has been patched in Firefox 133, Firefox ESR 128.5, Firefox ESR 115.18, Thunderbird 133, Thunderbird 128.5, and Thunderbird 115.18. Users are advised to update their applications to these versions or later to mitigate the risk (Mozilla Advisory).