CVE-2025-21000: 
NixOS vulnerability analysis and mitigation

Improper privilege management in Bluetooth prior to SMR Jul-2025 Release 1 allows local attackers to enable Bluetooth. This vulnerability was assigned CVE-2025-21000 and was reported on April 25, 2025. The vulnerability affects Android versions 13, 14, and 15 on Samsung mobile devices (Samsung Mobile).

The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) by NIST with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while Samsung Mobile assessed it with a score of 6.2 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability stems from improper privilege management in the Bluetooth component, allowing unauthorized local access to Bluetooth functionality (NVD).

The vulnerability allows local attackers to enable Bluetooth without proper authorization. This could potentially lead to unauthorized Bluetooth connections and compromise the device's wireless security controls (Samsung Mobile).

Samsung has addressed this vulnerability by adding proper validation logic in the SMR Jul-2025 Release 1 security update. Users should update their devices to this version or later to mitigate the vulnerability (Samsung Mobile).