CVE-2023-40073: 
NixOS vulnerability analysis and mitigation

CVE-2023-40073 is a vulnerability discovered in Android's Notification.java component, specifically in the visitUris function. The vulnerability was disclosed in December 2023 and affects Android versions 11.0 through 14.0. This security issue involves a cross-user media read vulnerability due to a Confused Deputy problem (NVD, Android Bulletin).

The vulnerability exists in the visitUris function of Notification.java, where a Confused Deputy issue could allow unauthorized cross-user media read operations. The severity of this vulnerability has been rated as MEDIUM with a CVSS v3.1 base score of 5.5 (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The vulnerability requires local access but does not need user interaction for exploitation (NVD).

If exploited, this vulnerability could lead to local information disclosure without requiring additional execution privileges. The primary impact is the potential exposure of media content across user boundaries, which could compromise user privacy and data confidentiality (NVD).

Google has addressed this vulnerability in the December 2023 Android Security Bulletin. The fix involves changes to the visitUris function in Notification.java, including unifying Bundle.getParcelable/getParcelableArray() calls to use the type-safe version (Android Patch).