CVE-2023-40075: 
NixOS vulnerability analysis and mitigation

CVE-2023-40075 is a vulnerability discovered in Android's ShortcutPackage.java component, specifically in the forceReplaceShortcutInner function. The vulnerability was disclosed on December 4, 2023, affecting Android versions 11.0 through 14.0. The issue stems from a missing bounds check that allows unlimited package registration (Android Bulletin, NVD).

The vulnerability exists due to a missing bounds check in the forceReplaceShortcutInner function of ShortcutPackage.java. This security flaw has been assigned a CVSS v3.1 base score of 5.5 (Medium), with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability requires local access but does not need user interaction for exploitation (NVD).

When exploited, this vulnerability can lead to a local denial of service condition that results in a boot loop of the affected device. The attack does not require additional execution privileges or user interaction to be successful (NVD).

A patch has been released in the December 2023 Android Security Bulletin. Users should update their Android devices to the latest security patch level to mitigate this vulnerability. The fix involves implementing proper bounds checking in the ShortcutPackage.java component (Android Bulletin, Google Git).