CVE-2023-21099: 
NixOS vulnerability analysis and mitigation

In multiple methods of PackageInstallerSession.java in Android, there is a vulnerability (CVE-2023-21099) that allows starting foreground services from the background due to a logic error in the code. This vulnerability affects Android versions 11, 12, 12L, and 13. The issue was disclosed and patched in the Android Security Bulletin of April 2023 (Android Bulletin).

The vulnerability exists in the PackageInstallerSession.java component and is caused by a logic error that incorrectly handles the starting of foreground services from the background. The severity of this vulnerability has been assessed with a CVSS 3.1 Base Score of 7.8 (HIGH), with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to local escalation of privilege with no additional execution privileges needed. The vulnerability can be exploited without user interaction, potentially allowing an attacker to gain unauthorized access to system resources and perform privileged operations (NVD).

The vulnerability was addressed in the Android Security Bulletin of April 2023. Users should update their Android devices to a security patch level of April 5, 2023, or later to receive the fix (Android Bulletin).