CVE-2023-40098: 
NixOS vulnerability analysis and mitigation

CVE-2023-40098 is a vulnerability discovered in Android's NotificationConversationInfo.java component, specifically in the mOnDone function. The vulnerability was disclosed in December 2023 and affects Android versions 12.0 through 14.0. This security flaw allows unauthorized access to app notification data of another user due to a logic error in the code (Android Bulletin, NVD).

The vulnerability exists in the mOnDone function of NotificationConversationInfo.java and has been assigned a CVSS v3.1 base score of 5.5 (Medium). The attack vector is local (AV:L), with low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability could lead to local information disclosure, potentially exposing app notification data of other users on the same device. No additional execution privileges are required for exploitation, making it a significant privacy concern for multi-user Android devices (NVD).

Google has addressed this vulnerability in the December 2023 Android Security Bulletin. Users should update their Android devices to the latest security patch level to mitigate this vulnerability (Android Bulletin).