CVE-2023-20914: 
NixOS vulnerability analysis and mitigation

In onSetRuntimePermissionGrantStateByDeviceAdmin of AdminRestrictedPermissionsUtils.java, there is a possible way for the work profile to read SMS messages due to a permissions bypass. This vulnerability, identified as CVE-2023-20914, affects Android version 11 and was disclosed in May 2023. The vulnerability requires user execution privileges but does not need user interaction for exploitation (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates local access is required, with low attack complexity, low privileges required, and no user interaction needed. The vulnerability primarily impacts confidentiality, with no effect on integrity or availability (NVD).

The vulnerability allows local information disclosure through unauthorized access to SMS messages in the work profile context. The successful exploitation could lead to the exposure of sensitive information contained in SMS messages, though it requires user execution privileges (NVD).

The vulnerability was addressed in the Android Security Bulletin of May 2023. Users should update their Android devices to the latest available security patch level to mitigate this vulnerability (Android Bulletin).