CVE-2022-20486: 
NixOS vulnerability analysis and mitigation

CVE-2022-20486 is a vulnerability discovered in Android's NotificationChannel.java component that affects Android versions 10, 11, 12, 12L, and 13. The vulnerability involves a possible failure to persist permissions settings due to resource exhaustion, which could lead to local escalation of privilege. The issue was disclosed in the December 2022 Android Security Bulletin (Android Bulletin).

The vulnerability exists in the NotificationChannel component of NotificationChannel.java and is characterized by resource exhaustion issues that affect the persistence of permissions settings. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 Base Score of 7.8 (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

The vulnerability can lead to local escalation of privilege on affected Android devices. No additional execution privileges are needed for exploitation, and user interaction is not required. The impact is significant as it affects multiple versions of the Android operating system and could allow attackers to gain elevated privileges on the device (Android Bulletin).

Google addressed this vulnerability in the December 2022 Android Security Bulletin. Users should ensure their Android devices are updated with the latest security patches to mitigate this vulnerability. The fix was included in the 2022-12-01 security patch level (Android Bulletin).