CVE-2025-20954: 
NixOS vulnerability analysis and mitigation

Use of implicit intent for sensitive communication in EnrichedCall prior to SMR May-2025 Release 1 allows local attackers to access sensitive information. The vulnerability, identified as CVE-2025-20954, was discovered on December 7, 2024, and affects Android versions 13, 14, and 15. This security issue requires user interaction for triggering this vulnerability (Samsung Mobile, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates a local attack vector with low attack complexity, no privileges required, and user interaction required. The impact is limited to high confidentiality breach, with no impact on integrity or availability (NVD, Wiz).

The vulnerability allows local attackers to access sensitive information when successfully exploited. The impact is primarily focused on confidentiality, with potential exposure of sensitive data related to EnrichedCall functionality (Samsung Mobile).

Samsung has addressed this vulnerability in the May 2025 Security Maintenance Release (SMR). The patch adds proper access control to prevent unauthorized access to sensitive information. Users are advised to update their devices to the latest security patch level (Samsung Mobile).