CVE-2022-33729: 
NixOS vulnerability analysis and mitigation

Improper restriction of broadcasting Intent in ConfirmConnectActivity of NFC prior to SMR Aug-2022 Release 1 leaks MAC address of the connected Bluetooth device (Samsung Mobile, NVD). The vulnerability was discovered and reported in June 2022 and affects Android versions 10.0, 11.0, and 12.0.

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) by Samsung Mobile with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, while NVD assigned a score of 3.3 (Low) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-20 (Improper Input Validation) according to Samsung Mobile (NVD).

The vulnerability allows exposure of Bluetooth device MAC addresses through improper broadcasting of Intent in the NFC functionality. This could potentially lead to privacy concerns as MAC addresses can be used for device tracking (NVD).

The vulnerability was addressed in the Samsung Mobile Security Maintenance Release (SMR) Aug-2022 Release 1. Users should update their devices to this or a later security patch level to mitigate the vulnerability (Samsung Mobile).