CVE-2025-0076: 
NixOS vulnerability analysis and mitigation

CVE-2025-0076 is a local information disclosure vulnerability affecting multiple versions of the Android operating system (13.0, 14.0, and 15.0). The vulnerability was discovered and disclosed on September 4, 2025, and involves a missing permission check that allows viewing icons belonging to another user (Android Bulletin).

The vulnerability stems from a missing permission check in multiple locations within the Android framework, which could allow unauthorized access to icons belonging to other users. The vulnerability has been assigned a CVSS 3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates local access is required, with low attack complexity and privilege requirements, and no user interaction needed for exploitation (NVD).

The vulnerability leads to local information disclosure without requiring additional execution privileges. The impact is primarily limited to confidentiality breaches, with no direct effect on system integrity or availability (NVD).

Google has released security patches for this vulnerability as part of the September 2025 security update. Users of affected Android versions (13.0, 14.0, and 15.0) are advised to update their systems to the latest available version (ASEC).