CVE-2023-40095: 
NixOS vulnerability analysis and mitigation

In createDontSendToRestrictedAppsBundle of PendingIntentUtils.java, there is a possible background activity launch vulnerability in Android operating system. This vulnerability (CVE-2023-40095) was discovered and disclosed in December 2023, affecting Android versions 11.0 through 14.0. The vulnerability could lead to local escalation of privilege with no additional execution privileges needed, and user interaction is not required for exploitation (NVD).

The vulnerability exists in the createDontSendToRestrictedAppsBundle function of PendingIntentUtils.java due to a missing check. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 Base Score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability affects multiple versions of the Android operating system, including Android 11.0, 12.0, 12.1, 13.0, and 14.0 (NVD).

The vulnerability allows a local attacker to perform background activity launches, which could lead to local escalation of privilege. The impact is significant as it requires no additional execution privileges and can be exploited without user interaction (NVD).

Google has addressed this vulnerability in the December 2023 Android Security Bulletin. A patch has been released and is available through the Android security update system. The fix is implemented in the platform/frameworks/base repository (Android Git, Android Security Bulletin).