CVE-2025-0093: 
NixOS vulnerability analysis and mitigation

CVE-2025-0093 is a security vulnerability discovered in Android's Bluetooth functionality, specifically in the handleBondStateChanged method of AdapterService.java. The vulnerability was disclosed on August 26, 2025, affecting multiple versions of the Android operating system including Android 12.0, 12.1, 13.0, 14.0, and 15.0. This security issue stems from a missing permission check that could potentially allow unauthorized data access (Android Security Bulletin, NVD).

The vulnerability exists in the handleBondStateChanged method of AdapterService.java component, where a missing permission check creates a security weakness. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The issue specifically relates to the handling of Bluetooth device bonding states and permission management (NVD, AttackerKB).

The vulnerability could lead to remote information disclosure without requiring additional execution privileges. The impact is primarily focused on confidentiality, with a High rating for information disclosure potential, while having no direct impact on system integrity or availability (NVD).

Google has addressed this vulnerability in the March 2025 security update for Android. The fix involves resetting permissions for non-bonded devices and implementing proper permission checks in accordance with PBAP and MAP specifications. Users of affected Android versions should update their devices to the latest security patch level (Android Commit).