CVE-2024-0021: 
NixOS vulnerability analysis and mitigation

CVE-2024-0021 is a vulnerability discovered in Android's NotificationAccessConfirmationActivity.java component. The vulnerability allows an application in the work profile to enable notification listener services due to a logic error in the code. This vulnerability was disclosed in January 2024 and affects Android versions 13.0 and 14.0 (NVD).

The vulnerability exists in the onCreate method of NotificationAccessConfirmationActivity.java, where a logic error enables unauthorized access to notification listener services. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability requires user interaction for exploitation but does not need additional execution privileges (NVD).

The vulnerability can lead to local escalation of privilege, potentially allowing an application in the work profile to gain unauthorized access to notification listener services. This could compromise the security boundary between work and personal profiles on Android devices (Android Bulletin).

Google has addressed this vulnerability through a patch, which can be found in the Android source code repository. The fix ensures that work profile applications cannot enable notification listener services without proper authorization (Android Patch).