CVE-2025-26443: 
NixOS vulnerability analysis and mitigation

CVE-2025-26443 is a high-severity local privilege escalation vulnerability discovered in Android's System component, specifically in the parseHtml function of HtmlToSpannedParser.java. The vulnerability was disclosed on September 4, 2025, affecting Android versions 13.0, 14.0, and 15.0. The flaw allows installation of apps without requiring permission for unknown sources due to a logic error in the code (NVD, SecurityWeek).

The vulnerability exists in the parseHtml function of HtmlToSpannedParser.java, where a logic error enables bypassing the security mechanism for installing applications from unknown sources. The vulnerability has received a CVSS v3.1 base score of 7.3 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The flaw is classified under CWE-693 (Protection Mechanism Failure) (NVD).

If exploited, this vulnerability could lead to local privilege escalation, allowing attackers to install applications without the normally required security permissions for unknown sources. The impact is significant as it affects multiple versions of Android and could potentially compromise device security by bypassing built-in protection mechanisms (NVD, GBHackers).

Google has addressed this vulnerability in the June 2025 Android security update. A patch has been released and is available in the Android Open Source Project repository. Users are strongly advised to update their devices to security patch level 2025-06-01 or later to protect against this vulnerability (ASEC, Android Source).