CVE-2025-21005: 
NixOS vulnerability analysis and mitigation

Improper access control in isemtelephony prior to Android 15 allows local attackers to access sensitive information. This vulnerability was discovered on April 8, 2024 and was disclosed on July 8, 2025, affecting Samsung Android devices running versions prior to Android 15 (Samsung Mobile).

The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper access control implementation in the isemtelephony component, which could allow unauthorized access to sensitive information. The vulnerability requires local access and low privileges to exploit, with no user interaction needed (NVD).

The vulnerability allows local attackers to access sensitive information through the isemtelephony component. The impact is primarily focused on confidentiality, with high potential for sensitive data exposure, while not affecting integrity or availability of the system (Samsung Mobile).

Samsung has addressed this vulnerability by adding proper access control in Android 15. Users are advised to update their devices to Android 15 or later versions to mitigate this security issue (Samsung Mobile).

The vulnerability was responsibly disclosed by security researcher Knifefish, who worked with Samsung to address the issue. Samsung acknowledged the researcher's contribution in their security bulletin (Samsung Mobile).