CVE-2023-21246: 
NixOS vulnerability analysis and mitigation

In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. The vulnerability (CVE-2023-21246) affects Android versions 11.0, 12.0, 12.1, and 13.0. This security issue was addressed in the July 2023 Android Security Bulletin (Android Bulletin).

The vulnerability exists in the ShortcutInfo component of Android's framework base. The issue occurs when creating a Conversation with a ShortcutId longer than 65,535 (max unsigned short), which prevents the conversation settings from being saved into the notification_policy.xml due to a restriction in FastDataOutput. This technical limitation leads to a state where user changes to importance settings or notification toggles for the affected conversation have no effect on notification behavior (Android Source). The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not required for exploitation. The impact primarily affects the notification system's security controls, allowing an application to bypass user-defined notification settings (NVD).

Google addressed this vulnerability in the July 2023 Android Security Bulletin. The fix involves truncating the ShortcutInfo Id to prevent the issue with FastDataOutput restrictions. Users should update their Android devices to the latest security patch level to receive the fix (Android Source).