CVE-2024-7652: 
NixOS vulnerability analysis and mitigation

CVE-2024-7652 is a high-severity vulnerability discovered in the implementation of Async Generators in JavaScript engines. The vulnerability affects multiple versions of Mozilla products including Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. The issue was initially discovered by security researcher Nils Bars and was publicly disclosed on September 6, 2024 (Mozilla Advisory).

The vulnerability stems from an error in the ECMA-262 specification relating to Async Generators, introduced by a May 2021 spec refactor. The issue occurs when the internal async generator machinery calls regular promise resolver functions on IteratorResult objects that it creates, assuming these objects won't be then-ables. However, since these IteratorResult objects inherit from Object.prototype, they can be made then-able, triggering arbitrary behavior and potentially violating internal invariants. This can result in type confusion, potentially leading to memory corruption and an exploitable crash. The vulnerability has received a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can potentially lead to memory corruption and exploitable crashes in affected systems. When successfully exploited, it could result in type confusion and pointer dereference issues, which could potentially allow attackers to execute arbitrary code. The high CVSS score indicates significant potential impact on system availability (GitHub Advisory).

The vulnerability has been addressed in Firefox 128, Firefox ESR 115.13, Thunderbird 115.13, and Thunderbird 128. Users are advised to upgrade to these or later versions to mitigate the risk. The ECMAScript specification has also been updated to address the underlying specification issue (Mozilla Advisory).