CVE-2025-20884: 
NixOS vulnerability analysis and mitigation

Improper access control in Samsung Message prior to SMR Jan-2025 Release 1 allows physical attackers to access data across multiple user profiles. The vulnerability was assigned CVE-2025-20884 and was disclosed on February 04, 2025. The vulnerability affects Samsung devices running Android versions 12, 13, and 14 (Samsung Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (MEDIUM) with the following vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires physical access (AV:P), has low attack complexity (AC:L), requires no privileges (PR:N), needs no user interaction (UI:N), has unchanged scope (S:U), and can result in high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability allows physical attackers to access data across multiple user profiles in Samsung Message application. This could lead to unauthorized access to sensitive messaging data belonging to different users on the same device (Samsung Advisory).

Samsung has released a patch in the January 2025 Security Maintenance Release (SMR) that adds proper access control to address this vulnerability. Users are advised to update their devices to the latest security patch level to protect against this vulnerability (Samsung Advisory).