CVE-2024-49728: 
NixOS vulnerability analysis and mitigation

CVE-2024-49728 is a vulnerability discovered in the Android Bluetooth system, specifically in the generateFileInfo function of BluetoothOppSendFileInfo.java. The vulnerability was disclosed on September 2, 2025, affecting Android versions 13.0, 14.0, and 15.0. This security issue involves a possible cross-user media disclosure due to a confused deputy issue (NVD, Android Bulletin).

The vulnerability exists in the generateFileInfo function of BluetoothOppSendFileInfo.java component of Android's Bluetooth system. It has been classified as a confused deputy vulnerability (CWE-610: Externally Controlled Reference to a Resource in Another Sphere). The CVSS v3.1 base score is 5.5 (Medium), with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access, low attack complexity, low privileges required, no user interaction needed, and high confidentiality impact (NVD).

The vulnerability could lead to local information disclosure with no additional execution privileges needed. The primary impact is on data confidentiality, potentially allowing cross-user media disclosure, while integrity and availability are not affected (NVD).

Google has addressed this vulnerability by validating that the content URI belongs to the current user. The fix involves checking that the userInfo part of the content URI is either implicit or matches the current userId. The patch was implemented in the Android codebase through commit 4b65cbb339db4d3a7a9a6100cb2e7c9f1ece9271 (Android Source).