CVE-2023-40122: 
NixOS vulnerability analysis and mitigation

CVE-2023-40122 is a vulnerability discovered in Android's Framework component, specifically in the applyCustomDescription function of SaveUi.java. The vulnerability was disclosed on February 15, 2024, affecting Android versions 11.0 through 14.0. This security flaw allows potential viewing of other users' images due to a confused deputy issue (Android Bulletin, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 3.3 (LOW) according to NVD, while CISA-ADP rates it at 5.3 (MEDIUM). The vulnerability vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating local access, low attack complexity, low privileges required, no user interaction needed, and potential for information disclosure (NVD).

The vulnerability can lead to local information disclosure without requiring additional execution privileges. An attacker who successfully exploits this vulnerability could view other users' images, potentially compromising user privacy (NVD).

Google has released a patch to address this vulnerability, which can be found in the February 2024 security update. Users are advised to update their Android devices to the latest available security patch level. The fix involves checking permissions of Autofill icon URIs in SaveUI's template and Inline Suggestions slices (Android Patch).