CVE-2025-26442: 
NixOS vulnerability analysis and mitigation

CVE-2025-26442 is a high-rated information disclosure vulnerability discovered in the Android Framework. The vulnerability was disclosed on September 4, 2025, and affects Android versions 13.0, 14.0, and 15.0. The issue exists in the onCreate method of NotificationAccessConfirmationActivity.java, where there is an incorrect verification of proper intent filters in NLS (Notification Listener Service) (AttackerKB, ASEC).

The vulnerability stems from a logic error in the code that leads to improper verification of intent filters in the Notification Listener Service. It has been assigned a CVSS v3.1 Base Score of 5.5 (Medium), with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The attack vector is Local, with low attack complexity and privilege requirements, requiring no user interaction (AttackerKB).

The vulnerability could lead to local information disclosure with no additional execution privileges needed. The confidentiality impact is rated as High, while there are no integrity or availability impacts. This means an attacker could potentially access sensitive information from the affected system (AttackerKB).

Google has released security updates to address this vulnerability as part of the May 2025 security patch level. Users of affected Android versions (13.0, 14.0, and 15.0) are strongly advised to update their devices to the latest available version (ASEC).