CVE-2025-26461: 
NixOS vulnerability analysis and mitigation

CVE-2025-26461 is a vulnerability discovered in Android's Permission Manager component, disclosed on September 5, 2025. The vulnerability allows the microphone privacy indicator to remain activated even after the user attempts to close the app, due to a logic error in the code. This affects Android 16.0 systems and was reported by Android (associated with Google Inc. or Open Handset Alliance) (Android Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is characterized by local attack vector, low attack complexity, requires low privileges, and no user interaction. It primarily impacts confidentiality with a low severity rating. The weakness is categorized under CWE-703 (Improper Check or Handling of Exceptional Conditions) (NVD).

The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. The primary impact is on system confidentiality, as indicated by the CVSS metrics, while there are no direct impacts on integrity or availability of the system (NVD).

The vulnerability has been addressed in Android 16.0 security updates. Users are advised to update their Android devices to the latest security patch level (Android Bulletin).