CVE-2025-22404: 
NixOS vulnerability analysis and mitigation

CVE-2025-22404 is a local privilege escalation vulnerability discovered in Android's Bluetooth component, specifically in the avctlcbmsgind function of avctlcb_act.cc. The vulnerability was disclosed on August 26, 2025, affecting Android 15.0 systems. This use-after-free vulnerability allows for arbitrary code execution without requiring additional execution privileges or user interaction (NVD).

The vulnerability exists in the avctlcbmsgind function of avctlcb_act.cc where a use-after-free condition can lead to arbitrary code execution. The vulnerability has been assigned a CVSS v3.1 base score of 8.4 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and no user interaction needed (NVD, AttackerKB).

The vulnerability can lead to local escalation of privilege with high impacts on confidentiality, integrity, and availability. An attacker successfully exploiting this vulnerability could execute arbitrary code with elevated privileges, potentially gaining complete control over the affected device (NVD).

Google has released a patch for this vulnerability in the March 2025 security update. Users are advised to update their Android devices to the latest available version that includes the security patch level of 2025-03-05 or later (Android Bulletin).