CVE-2023-40106: 
NixOS vulnerability analysis and mitigation

CVE-2023-40106 is a vulnerability discovered in Android's NotificationManagerService.java, specifically in the sanitizeSbn function. The vulnerability was disclosed in November 2023 and affects Android versions 11.0 through 14.0. This security flaw allows for a potential way to launch an activity from the background due to a Background Activity Launch (BAL) Bypass (Android Security Bulletin, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper handling of notification tokens in the NotificationManagerService, specifically related to the publicVersion of notifications, which could be exploited to bypass background activity launch restrictions (NVD).

Successful exploitation of this vulnerability could lead to local escalation of privilege with no additional execution privileges needed. The attacker could potentially launch activities from the background, bypassing Android's normal background activity launch restrictions. User interaction is not required for exploitation (CIS Advisory).

Google has addressed this vulnerability in the November 2023 security patch level. Users are advised to update their Android devices to the latest available security patch level. The fix involves stripping the token that allows apps to retrieve their own notifications and fire their own PI to launch activities from the background (Android Patch).