CVE-2025-26461: 
NixOS vulnerability analysis and mitigation

In Permission Manager of Android 16.0, a logic error in the code allows the microphone privacy indicator to remain activated even after the user attempts to close the app. This vulnerability (CVE-2025-26461) was disclosed on September 5, 2025, and affects Android 16.0 operating system (Android Bulletin).

The vulnerability stems from a logic error in the Permission Manager component that incorrectly handles the microphone privacy indicator state. The issue has been assigned a CVSS v3.1 Base Score of 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates a local attack vector, low attack complexity, low privileges required, no user interaction needed, unchanged scope, low confidentiality impact, and no impact on integrity or availability. The vulnerability is categorized under CWE-703 (Improper Check or Handling of Exceptional Conditions) (NVD).

The vulnerability could lead to local escalation of privilege without requiring additional execution privileges. The primary impact is on system confidentiality, as indicated by the CVSS metrics, potentially allowing unauthorized access to microphone status information (NVD).

Google has addressed this vulnerability in Android 16.0 through a security update. Users are advised to apply the latest security patches as provided in the Android Security Bulletin (Android Bulletin).