CVE-2023-40074: 
NixOS vulnerability analysis and mitigation

CVE-2023-40074 is a vulnerability discovered in Android's PersistableBundle.java component. The vulnerability was disclosed on December 4, 2023, affecting Android versions 11.0 through 13.0. The issue occurs in the saveToXml function where invalid data could lead to local persistent denial of service without requiring additional execution privileges or user interaction (NVD).

The vulnerability exists in the saveToXml function of PersistableBundle.java, where improper handling of invalid data can trigger a denial of service condition. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The attack requires local access but has low complexity and does not need user interaction (NVD).

When exploited, this vulnerability can result in a local persistent denial of service condition. The impact is limited to availability, with no direct impact on confidentiality or integrity of the system (NVD).

A fix has been implemented in the Android security patch released in December 2023. The patch involves dropping invalid data when writing or reading from XML in the PersistableBundle component (Android Patch, Android Security Bulletin).