CVE-2023-40080: 
NixOS vulnerability analysis and mitigation

In multiple functions of btm_ble_gap.cc, there is a possible out of bounds write vulnerability due to a logic error in the code. This vulnerability, identified as CVE-2023-40080, affects Android versions 13.0 and 14.0. The vulnerability was disclosed in December 2023 and could lead to local escalation of privilege without requiring additional execution privileges or user interaction (NVD).

The vulnerability exists in the Bluetooth Low Energy (BLE) component of Android's system stack, specifically in multiple functions within the btm_ble_gap.cc file. The issue stems from a logic error in the code that can result in an out-of-bounds write condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to local escalation of privilege on affected Android devices. An attacker who successfully exploits this vulnerability could gain elevated privileges on the system without requiring additional execution privileges. The impact is significant as it affects the system's security boundary and could potentially allow unauthorized access to protected system resources (NVD).

Google has addressed this vulnerability with a patch that fixes the multiple out-of-bounds bugs in btm_ble_gap.cc. The fix was implemented in a commit to the Android platform's Bluetooth module repository (Bluetooth Patch). Users should ensure their devices are updated with the latest security patches from the December 2023 security update.