CVE-2024-31320: 
NixOS vulnerability analysis and mitigation

CVE-2024-31320 is a security vulnerability in Android's companion device association functionality, specifically in the setSkipPrompt method of AssociationRequest.java. The vulnerability was discovered and disclosed on July 9, 2024, affecting Android versions 12.0 and 12.1. This vulnerability allows unauthorized companion device association without requiring confirmation through CDM (Companion Device Manager) (NVD).

The vulnerability exists in the setSkipPrompt functionality of AssociationRequest.java, which improperly handles companion device associations. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access with low attack complexity and no user interaction required. The vulnerability is classified under CWE-284 (Improper Access Control) and CWE-269 (Improper Privilege Management) (NVD).

The vulnerability enables local escalation of privilege without requiring additional execution privileges. An attacker could potentially establish unauthorized companion device associations, bypassing the normal confirmation process, which could lead to unauthorized access to device features and data (NVD).

Google has addressed this vulnerability through security patches, with fixes implemented in the Android codebase. The patches include modifications to both AssociationRequest.java and CompanionDeviceManagerService.java to prevent unauthorized skipping of confirmation prompts (Android Source, Android Source).