CVE-2023-40079: 
NixOS vulnerability analysis and mitigation

A vulnerability identified as CVE-2023-40079 was discovered in Android's ShortcutService.java, specifically in the injectSendIntentSender function. The vulnerability was disclosed in December 2023 and affects Android version 14.0. This security flaw allows for a background activity launch through a permissions bypass mechanism (NVD, Android Bulletin).

The vulnerability exists in the injectSendIntentSender function of ShortcutService.java, where a permissions bypass can lead to unauthorized background activity launches. The issue has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, low privileges required, and no user interaction needed for exploitation (NVD).

The vulnerability enables local escalation of privilege without requiring additional execution privileges. This could potentially allow an attacker to execute unauthorized background activities, bypassing normal permission restrictions (NVD).

A patch has been released in the Android Security Bulletin for December 2023. The fix involves rescinding BAL (Background Activity Launch) privilege when ShortcutService sends the callback PI (PendingIntent). The patch specifically addresses the issue where AppWidgetManager.requestPinAppWidget calls from a client could bypass BAL checks (Android Patch).