CVE-2024-0014: 
NixOS vulnerability analysis and mitigation

CVE-2024-0014 is a vulnerability discovered in Android's UpdateFetcher.java component that affects Android versions 11.0 through 14.0. The vulnerability was disclosed on February 15, 2024, and involves a logic error in the startInstall function that could potentially trigger malicious config updates (NVD, Android Bulletin).

The vulnerability exists in the startInstall function of UpdateFetcher.java and is characterized by a logic error that could be exploited without requiring additional execution privileges. The severity of this vulnerability has been assessed with a CVSS 3.1 base score of 7.8 (HIGH) by NIST with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CISA-ADP has assigned an even higher base score of 8.4 (HIGH) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to local escalation of privilege on affected Android devices. What makes this particularly concerning is that no user interaction is required for exploitation, and it affects multiple versions of the Android operating system including Android 11.0, 12.0, 12.1, 13.0, and 14.0 (NVD).

Google has addressed this vulnerability in the February 2024 Android Security Bulletin. Users of affected Android versions should ensure their devices are updated with the latest security patches (Android Bulletin).