CVE-2025-0074: 
NixOS vulnerability analysis and mitigation

CVE-2025-0074 is a critical vulnerability discovered in the Android operating system affecting Android 15.0. The vulnerability exists in the processserviceattrrsp function of sdpdiscovery.cc within the Bluetooth module, where a use-after-free condition could lead to remote code execution. The vulnerability was disclosed on August 26, 2025, and was assigned a CVSS v3.1 base score of 9.8 (Critical) (AttackerKB, CIS Advisory).

The vulnerability is caused by incorrect logging in sdpdiscovery.cc, where log statements use structures that may have been freed by preceding calls in exceptional cases. This use-after-free condition in the processserviceattrrsp function of sdp_discovery.cc could allow an attacker to execute arbitrary code. The vulnerability requires no user interaction and can be exploited remotely without additional execution privileges (Android Source).

Successful exploitation of this vulnerability could lead to remote code execution with no additional execution privileges needed. The vulnerability has received a Critical severity rating with a CVSS v3.1 base score of 9.8, indicating high impacts on confidentiality, integrity, and availability. The attack vector is network-based, requires low attack complexity, and needs no user interaction (CIS Advisory).

Google has released a fix for this vulnerability in the March 2025 security bulletin. The fix involves using local variables instead of potentially freed structures in the log statements. Organizations and users are advised to apply the security updates as soon as they become available. The patch has been implemented in commit 37bcf769c1aa8dfa8e5524858d47f6a80b765fa4 (Android Source).