CVE-2021-39706: 
NixOS vulnerability analysis and mitigation

In onResume of CredentialStorage.java, there is a possible way to cleanup content of credentials storage due to a missing permission check. This vulnerability, identified as CVE-2021-39706, affects Android versions 10, 11, and 12. The issue was disclosed in the March 2022 Android Security Bulletin and is tracked internally as Android ID: A-200164168 (NVD, Android Bulletin).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 7.8 (HIGH). The attack vector is local (AV:L), with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is unchanged (S:U), with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If exploited, this vulnerability could lead to local escalation of privilege with no additional execution privileges needed. The attacker could potentially clean up the content of credentials storage, affecting the security of stored credentials (NVD).

The vulnerability was addressed in the March 2022 Android Security Bulletin. Users should update their Android devices to the latest available security patch level to protect against this vulnerability (Android Bulletin).