CVE-2025-21000: 
NixOS vulnerability analysis and mitigation

Improper privilege management in Bluetooth prior to SMR Jul-2025 Release 1 allows local attackers to enable Bluetooth. The vulnerability was discovered and reported on April 25, 2025, and was assigned CVE-2025-21000. This vulnerability affects Samsung Android devices running versions 13, 14, and 15 (Samsung Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) by NIST with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. However, Samsung Mobile's assessment differs, rating it at 6.2 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability stems from improper privilege management in the Bluetooth component (NVD).

The vulnerability allows local attackers to enable Bluetooth functionality on affected devices without proper authorization. This could potentially lead to unauthorized Bluetooth connections and associated security risks (Samsung Advisory).

Samsung has addressed this vulnerability in the SMR Jul-2025 Release 1 by adding proper validation logic. Users are advised to update their devices to this security patch level to mitigate the vulnerability (Samsung Advisory).