CVE-2024-6600: 
NixOS vulnerability analysis and mitigation

CVE-2024-6600 is a memory corruption vulnerability discovered in the WebGL API of Mozilla Firefox and related products. The vulnerability was reported by security researcher pwn2car and was disclosed on July 9, 2024. This security flaw affects Firefox versions prior to 128, Firefox ESR versions prior to 115.13, Thunderbird versions prior to 115.13, and Thunderbird versions prior to 128 (Mozilla Advisory, NVD).

The vulnerability stems from lenient large allocation checks in the Angle component for GLSL shaders, which could result in an out-of-bounds access when allocating more than 8192 integers in private shader memory specifically on macOS systems. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The weakness has been categorized as CWE-770 (Allocation of Resources Without Limits or Throttling) (CISA-ADP).

The vulnerability could lead to memory corruption through out-of-bounds access in the WebGL API. When exploited, this could potentially affect system stability and security, particularly in browser or browser-like contexts. In Thunderbird, while the risk is minimized since scripting is disabled when reading mail, the vulnerability remains a potential risk in browser-like contexts (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox 128, Firefox ESR 115.13, Thunderbird 115.13, and Thunderbird 128. Users are strongly advised to update their installations to these or later versions to mitigate the risk. The fix involves implementing proper allocation checks in the Angle component for GLSL shaders (Mozilla Advisory).