CVE-2025-26436: 
NixOS vulnerability analysis and mitigation

CVE-2025-26436 is a vulnerability discovered in Android's PendingIntentRecord.java component, specifically in the clearAllowBgActivityStarts function. The vulnerability was disclosed on September 4, 2025, affecting Android versions 13.0, 14.0, and 15.0. This security flaw allows an application to launch activities from the background by bypassing Background Activity Launches (BAL) restrictions (Android Bulletin).

The vulnerability exists in the clearAllowBgActivityStarts function of PendingIntentRecord.java, where the BAL privileges of a PendingIntent only cleared the tokens but maintained the duration-based entries. This implementation flaw is exclusively used by SystemUI in the NotificationManagerService. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to local escalation of privilege with no additional execution privileges needed and requires no user interaction for exploitation. This could potentially allow malicious applications to bypass Android's background activity launch restrictions, compromising the system's security model (NVD).

Google has released security patches to address this vulnerability in the May 2025 security update. The fix involves modifying the clearAllowBgActivityStarts function to properly clear both tokens and duration-based entries. Users are strongly advised to update their Android devices to the latest available version (Android Bulletin, ASEC).