CVE-2025-32347: 
NixOS vulnerability analysis and mitigation

CVE-2025-32347 is a local privilege escalation vulnerability discovered in Android's BiometricEnrollIntroduction.java component. The vulnerability was disclosed on September 4, 2025, affecting multiple versions of the Android operating system including Android 13.0 through 16.0. The issue stems from an unsafe PendingIntent implementation during the biometric enrollment process (NVD).

The vulnerability exists in the onStart method of BiometricEnrollIntroduction.java, where an unsafe PendingIntent implementation could allow determination of the device's location. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue has been classified under CWE-926 (Improper Export of Android Application Components) (NVD).

If exploited, this vulnerability could lead to local privilege escalation on affected Android devices. The attacker could potentially determine the device's location and escalate privileges without requiring additional execution privileges. However, user interaction is required for successful exploitation (NVD).

Google has released a patch for this vulnerability in the September 2025 security update. The fix involves dropping PendingIntent extras from external packages during enrollment, as implemented in commit 25cfacbe5ac2423b8fe1375e0593ef69e98b8d09. Users are advised to update their Android devices to the latest security patch level (Android Source, Android Bulletin).