CVE-2024-6604: 
NixOS vulnerability analysis and mitigation

CVE-2024-6604 is a memory safety vulnerability affecting multiple Mozilla products including Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. The vulnerability was discovered by Randell Jesup and publicly disclosed on July 9, 2024. The issue was present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (Mozilla Advisory).

The vulnerability involves memory safety bugs that showed evidence of memory corruption. According to the security advisory, these bugs could potentially be exploited to run arbitrary code with enough effort. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a network-accessible vulnerability requiring user interaction (NVD).

The vulnerability could potentially allow attackers to execute arbitrary code on affected systems through memory corruption exploitation. In Thunderbird specifically, these flaws cannot be exploited through email since scripting is disabled when reading mail, but they remain potential risks in browser or browser-like contexts (Mozilla Advisory).

The vulnerability has been fixed in Firefox 128, Firefox ESR 115.13, Thunderbird 115.13, and Thunderbird 128. Users are advised to update to these versions or later to mitigate the risk. Red Hat has also released security updates for affected products through RHSA-2024:4624 (Red Hat Advisory).