CVE-2021-39743: 
NixOS vulnerability analysis and mitigation

In PackageManager of Android 12L, there is a possible way to update the last usage time of another package due to a missing permission check (CVE-2021-39743). The vulnerability was discovered and reported by Google's Android security team (Android ID: A-201534884). This security issue could lead to local escalation of privilege with no additional execution privileges needed, and user interaction is not required for exploitation (Android Security Bulletin).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from a missing authorization check (CWE-862) in the PackageManager component, which could allow an attacker to manipulate package usage timestamps (NVD Database).

The vulnerability could lead to local escalation of privilege, potentially allowing an attacker to gain unauthorized access to package usage information and modify timestamps. The high CVSS score indicates serious potential impacts on confidentiality, integrity, and availability of the affected system (NVD Database).

The vulnerability has been patched in Android 12L. Users should update their devices to the latest available version that includes the security patch. The fix was included in the Android 12L Security Bulletin (Android Security Bulletin).