CVE-2023-40100: 
NixOS vulnerability analysis and mitigation

CVE-2023-40100 is a memory corruption vulnerability discovered in the discovery_thread function of Dns64Configuration.cpp within Android's DNS resolver component. The vulnerability was disclosed in the November 2023 Android Security Bulletin and affects Android versions 11.0 through 14.0. The issue stems from a use-after-free condition that could lead to local privilege escalation (Android Bulletin, NVD).

The vulnerability exists in the DNS64 discovery thread implementation where the thread is detached from the binder requesting thread but continues to reference resources that don't belong to it. These resources can be destroyed during DNS resolver destruction, leading to a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could allow for local privilege escalation with no additional execution privileges needed. An attacker could potentially install programs, view, change, or delete data, or create new accounts with full rights. User interaction is not required for exploitation (CIS Advisory).

The vulnerability has been patched by implementing a fix that holds a strong pointer of Dns64Configuration in the DNS64 discovery thread, ensuring that the instance of Dns64Configuration remains until the DNS64 thread is force terminated. Users should apply the November 2023 security patch level or later to mitigate this vulnerability (Android Patch).