CVE-2025-26462: 
NixOS vulnerability analysis and mitigation

CVE-2025-26462 is a local privilege escalation vulnerability discovered in Android's AccessibilityServiceConnection.java component. The vulnerability was disclosed on September 04, 2025, and last updated on September 09, 2025. It affects multiple versions of Android including Android 13, 14, and 15. The vulnerability stems from a logic error in the code that could allow a background activity launch (AttackerKB, ASEC).

The vulnerability exists due to a logic error in AccessibilityServiceConnection.java where a service returning null in onBind() would remain bound by system_server, potentially allowing unauthorized background activity launches. The vulnerability has been assigned a CVSS v3 Base Score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The attack vector is Local, requires Low privileges, and needs No user interaction for exploitation (AttackerKB).

If exploited, this vulnerability could lead to local escalation of privilege with no additional execution privileges needed. The impact scores indicate High severity for Confidentiality, Integrity, and Availability, potentially allowing an attacker to gain elevated access to system resources (AttackerKB).

Google has released a security fix that prevents services returning null in onBind() from staying bound by system_server, effectively preventing unauthorized background activity launches. The fix was implemented in the Android security update for June 2025. Users are advised to update their Android devices to the latest available version (Android Source).