CVE-2025-21001: 
NixOS vulnerability analysis and mitigation

Improper access control in LeAudioService prior to SMR Jul-2025 Release 1 allows local attackers to stop broadcasting Auracast. The vulnerability was discovered and reported on April 25, 2025, by researcher hsia.angsh, and was assigned CVE-2025-21001. This vulnerability affects Samsung Android devices running versions 14 and 15 (Samsung Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) by NIST NVD, while Samsung Mobile assigned it a score of 6.2 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). The vulnerability stems from improper access control implementation in the LeAudioService component (NVD Database).

When exploited, this vulnerability allows local attackers to stop broadcasting Auracast, potentially disrupting audio streaming services. The impact is primarily focused on the integrity of the audio broadcasting functionality, with no direct impact on confidentiality or availability of the system (Samsung Advisory).

Samsung has addressed this vulnerability by adding proper access control in the SMR Jul-2025 Release 1 security update. Users are advised to update their devices to this version or later to protect against potential exploitation (Samsung Advisory).