CVE-2024-29748: 
NixOS vulnerability analysis and mitigation

A high-severity vulnerability identified as CVE-2024-29748 affects Google Pixel devices. The vulnerability was discovered in early 2024 and involves a logic error in the code that could lead to local escalation of privilege with no additional execution privileges needed. User interaction is required for exploitation (NVD).

CVE-2024-29748 is a high-severity elevation of privilege vulnerability in the Pixel firmware. The vulnerability allows attackers to circumvent factory resets initiated by apps using the device admin API. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows local attackers to bypass factory resets initiated by device admin apps. Even with Google's firmware fix, it remains possible to halt the wipe process by cutting power to the device, potentially exposing sensitive data (SOCRadar, BleepingComputer).

Google has released a patch in the April 2024 security update for Pixel phones. Users can apply the update by navigating to Settings > Security & privacy > System & updates > Security update, and tapping install. A device restart is required to complete the update. GrapheneOS is working on implementing a more robust solution, including a stronger duress PIN/password feature and a secure 'panic wipe' action (BleepingComputer).

GrapheneOS, a privacy-enhanced and security-focused Android distribution, publicly disclosed information about forensic companies actively exploiting the vulnerability while keeping specific details private to prevent widespread exploitation (BleepingComputer).