CVE-2025-22421: 
NixOS vulnerability analysis and mitigation

In contentDescForNotification of NotificationContentDescription.kt, there is a possible notification content leak through the lockscreen due to a logic error in the code. This vulnerability, tracked as CVE-2025-22421, affects Android versions 13.0, 14.0, and 15.0. The issue could lead to local information disclosure without requiring additional execution privileges or user interaction (AttackerKB).

The vulnerability stems from a logic error in the NotificationContentDescription.kt file, specifically in the contentDescForNotification function. The issue has a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is characterized by a local attack vector, low attack complexity, low privileges required, and no user interaction needed (AttackerKB).

The vulnerability allows unauthorized access to notification content through the lockscreen, potentially exposing sensitive information. The impact is primarily focused on confidentiality with a high impact rating, while integrity and availability remain unaffected (AttackerKB).

Google has addressed this vulnerability with a patch that removes notification content from icon accessibility features. The fix was implemented through a commit (3b0704fd381a) in the Android platform frameworks base repository (Android Source).