CVE-2024-0041: 
NixOS vulnerability analysis and mitigation

A race condition vulnerability exists in the removePersistentDot function of SystemStatusAnimationSchedulerImpl.kt in Android 14.0. The vulnerability (CVE-2024-0041) was discovered and disclosed in February 2024, affecting Android's system UI components. This security flaw could potentially lead to local privilege escalation without requiring additional execution privileges or user interaction (NVD).

The vulnerability stems from a logic error in the code that creates a race condition in the SystemStatusAnimationSchedulerImpl.kt component. The issue has been assigned a CVSS v3.1 base score of 7.0 (HIGH) by NIST with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. CISA's ADP assessment rated it higher at 8.4 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) (NVD).

The vulnerability can lead to local escalation of privilege, specifically causing a failure to remove the persistent dot in the Android system UI. This could potentially affect system status indicators and user interface elements (NVD).

A fix has been implemented and is available in the Android Security Bulletin for February 2024. The patch addresses the race condition by correcting the logic error in the SystemStatusAnimationSchedulerImpl.kt component (Android Patch, Android Security Bulletin).