CVE-2025-0084: 
NixOS vulnerability analysis and mitigation

CVE-2025-0084 is a critical vulnerability discovered in Android's Bluetooth implementation. The vulnerability was disclosed on August 26, 2025, affecting Android versions 13.0, 14.0, and 15.0. It involves a possible out of bounds write due to a use after free condition in multiple locations of the Bluetooth implementation, specifically when HFP (Hands-Free Profile) support is enabled (NVD, Android Bulletin).

The vulnerability is classified as CWE-416 (Use After Free) and has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical root cause involves a race condition where it becomes possible to reference a freed instance of the discovery database in a second connection once the first one is closed, specifically in the SDP (Service Discovery Protocol) implementation (NVD, Android Source).

The vulnerability could lead to remote code execution over Bluetooth if HFP support is enabled. The attack requires no additional execution privileges and can be executed without user interaction. The impact is particularly severe as it affects confidentiality, integrity, and availability of the system, all rated as High in the CVSS scoring (NVD, CIS Advisory).

Google has released security patches as part of the March 2025 Android Security Bulletin. Users are strongly advised to update their Android devices to the security patch level 2025-03-05 or later. The fix includes modifications to the SDP discovery implementation to check for already allocated databases and additional null checks in the processservicesearchattrrsp function (Android Source, Android Bulletin).