CVE-2024-34738: 
NixOS vulnerability analysis and mitigation

CVE-2024-34738 is a vulnerability discovered in Android OS affecting multiple functions of AppOpsService.java. The vulnerability allows unprivileged apps to read their own restrictRead app-op states due to a logic error in the code. This vulnerability was disclosed in August 2024 and affects Android versions 13.0 and 14.0 (Android Bulletin, NVD).

The vulnerability stems from a logic error in the AppOpsService.java component that incorrectly handles restrictRead app-op states. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CISA-ADP has also assessed it with a slightly different score of 7.7 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not required for exploitation. This could potentially allow unprivileged applications to access restricted information they shouldn't have access to (NVD).

Google has released a patch to address this vulnerability in the August 2024 security update. The fix includes filtering out restricted appOps status for unprivileged readers and allowing additional privileged appOps permission holder reading restricted appOps status (Android Source).