CVE-2025-32333: 
NixOS vulnerability analysis and mitigation

CVE-2025-32333 is a local privilege escalation vulnerability discovered in the Android operating system, specifically in the startSpaActivityForApp function of SpaActivity.kt. The vulnerability was disclosed on September 4, 2025, affecting Android 14.0 systems. This security flaw stems from a logic error in the code that could lead to a cross-user permission bypass (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The flaw is classified under CWE-863 (Incorrect Authorization). The vulnerability requires local access but has low attack complexity and requires no user interaction for exploitation (NVD).

If successfully exploited, this vulnerability could allow an attacker to bypass cross-user permissions and achieve local privilege escalation. The high CVSS score indicates that the vulnerability could potentially lead to complete compromise of confidentiality, integrity, and availability of the affected system, with no additional execution privileges needed (NVD).

Google has released a security patch as part of the September 2025 security update. Users are strongly advised to update their Android devices to a patch level of 2025-09-05 or later to address this vulnerability (Android Bulletin, ASEC).