CVE-2024-0018: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability was identified in the convertYUV420Planar16ToY410 function of ColorConverter.cpp in Android's framework. The vulnerability, tracked as CVE-2024-0018, was disclosed in January 2024 and affects Android versions 11.0 through 14.0. This security flaw could potentially lead to local privilege escalation without requiring additional execution privileges or user interaction (Android Bulletin, NVD).

The vulnerability exists in the convertYUV420Planar16ToY410 function within ColorConverter.cpp, which can result in an out-of-bounds write due to a heap buffer overflow. The issue has been assigned a CVSS v3.1 base score of 7.8 (High) by NIST with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CISA-ADP has assessed it with a slightly higher score of 8.4, using the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to local privilege escalation, potentially allowing an attacker to execute code with elevated privileges. The high CVSS scores indicate that successful exploitation could result in significant impact on the confidentiality, integrity, and availability of the affected system (NVD).

Google has addressed this vulnerability through a patch that fixes the convertYUV420Planar16ToY410 overflow issue for unsupported crop width. The fix has been implemented in the Android security patch level dated January 2024 (Android Commit).