CVE-2021-39691: 
NixOS vulnerability analysis and mitigation

In WindowManager of Android versions 10, 11, and 12, there is a possible tapjacking attack due to an incorrect window flag when processing user input. The vulnerability (CVE-2021-39691) was disclosed in June 2022 and could lead to local escalation of privilege with no additional execution privileges needed, though user interaction is required for exploitation (Android Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The weakness is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames). The vulnerability affects the WindowManager component's handling of window flags during user input processing (NVD).

If exploited, this vulnerability could allow an attacker to perform a tapjacking attack, potentially leading to local escalation of privilege. The attack could compromise the confidentiality, integrity, and availability of the system, as indicated by the high CVSS ratings for all three impact metrics (NVD).

The vulnerability was addressed in the Android Security Bulletin of June 2022. Users should update their Android devices to the security patch level of 2022-06-01 or later to receive the fix (Android Bulletin).