CVE-2024-6609: 
NixOS vulnerability analysis and mitigation

A memory corruption vulnerability (CVE-2024-6609) was discovered in Firefox and Thunderbird's NSS (Network Security Services) component. The vulnerability affects Firefox versions before 128 and Thunderbird versions before 128, where under low-memory conditions, an elliptic curve key that was never allocated could be incorrectly freed (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue occurs specifically in the NSS component when the system is running low on memory, potentially leading to a use-after-free condition with an unallocated elliptic curve key (NVD).

The vulnerability could potentially lead to memory corruption and security implications in affected versions of Firefox and Thunderbird. Given the CVSS score and vector, successful exploitation could result in high impacts on confidentiality, integrity, and availability of the affected systems (NVD).

The vulnerability has been fixed in Firefox 128 and Thunderbird 128. Users are advised to update their installations to these versions or later to mitigate the risk. For Firefox, the fix is available in version 128.0+build2-0ubuntu0.20.04.1 for Ubuntu 20.04 LTS (Ubuntu Security).