CVE-2024-0029: 
NixOS vulnerability analysis and mitigation

CVE-2024-0029 is a vulnerability discovered in the Android Framework that affects Android 13.0 and potentially other versions. The vulnerability stems from a logic error in multiple files that allows capturing device screen content when it should be disallowed by device policy. This vulnerability was disclosed in the February 2024 Android Security Bulletin (Android Bulletin).

The vulnerability is characterized by a logic error in the code that incorrectly handles screen capture disabled states across multiple users. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires local access but no user interaction for exploitation (NVD).

If exploited, this vulnerability could lead to local escalation of privilege, allowing an attacker to capture screen content even when explicitly forbidden by device policy. This poses a significant security risk as it could potentially expose sensitive information that should be protected by policy controls (CIS Advisory).

Google has addressed this vulnerability by implementing a fix that properly tracks screen capture policies for each user in a set, replacing the previous single-integer tracking system. The fix has been implemented in the Android codebase and is available through the February 2024 security patch (Android Patch).