CVE-2024-4765: 
NixOS vulnerability analysis and mitigation

CVE-2024-4765 is a security vulnerability discovered in Firefox for Android, disclosed on May 14, 2024. The vulnerability stems from web application manifests being stored using an insecure MD5 hash, which could allow for hash collisions. This vulnerability specifically affects Firefox for Android, while other versions of Firefox are unaffected (Mozilla Advisory).

The vulnerability exists in the manifest storage mechanism where web application manifests were stored using MD5 hashing. The technical issue involves the generateHash function in Manifest.sys.mjs using an insecure MD5 hash instead of a more secure alternative like SHA-256. This implementation could allow an attacker to create hash collisions, potentially leading to the overwriting of existing manifest files (Mozilla Bugzilla).

The vulnerability has been rated as having a moderate impact. If exploited, an attacker could potentially overwrite another application's manifest through hash collision attacks. This could lead to arbitrary code execution in the context of the existing application, potentially allowing attackers to access sensitive data such as cookies, login credentials, or other private information (Mozilla Advisory, CIS Advisory).

The vulnerability has been fixed in Firefox 126.0. Users should update their Firefox for Android installations to version 126.0 or later to receive the security fix. The fix involves replacing the MD5 hash with SHA-256 for manifest storage (Mozilla Advisory).