CVE-2025-0087: 
NixOS vulnerability analysis and mitigation

CVE-2025-0087 is a privilege escalation vulnerability discovered in the Android Framework, specifically in the UninstallerActivity.java component. The vulnerability was disclosed in May 2025 and affects Android versions 13.0, 14.0, and 15.0. The issue stems from a missing permission check that could allow an attacker to uninstall a different user's app (Android Source, AttackerKB).

The vulnerability exists in the onCreate method of UninstallerActivity.java where a missing permission check allows for unauthorized app uninstallation across user profiles. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.1 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L. The attack vector is local, requires low attack complexity, needs no privileges, and requires no user interaction (AttackerKB).

If exploited, this vulnerability allows a local attacker to uninstall applications belonging to different user profiles without proper authorization. This could lead to local escalation of privilege with no additional execution privileges needed. The impact primarily affects the confidentiality and availability of the system, with potential for disruption of user services (CIS Advisory).

Google has released a security patch to address this vulnerability. Users and organizations are advised to update their Android devices to the security patch level dated May 5, 2025 or later. The fix involves implementing proper permission checks in the UninstallerActivity component to ensure that only the parent profile can uninstall apps from child profiles (Android Source).