CVE-2024-31315: 
NixOS vulnerability analysis and mitigation

In multiple functions of ManagedServices.java in Android, there is a vulnerability (CVE-2024-31315) that allows hiding an app with notification access in the Device & app notifications settings due to improper input validation. The vulnerability affects Android versions 12.0, 12.1, 13.0, and 14.0. This vulnerability was disclosed and published on July 9, 2024 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability stems from improper input validation in the ManagedServices.java component. CISA-ADP has also assessed this vulnerability with a slightly lower CVSS score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. The successful exploitation could result in high impacts on confidentiality, integrity, and availability of the affected system (NVD).

A patch has been released to address this vulnerability, as documented in the Android Security Bulletin. The fix involves checking for NLS bind permission when rebinding services and updating the verification process for packages with NLS components (Android Patch).