CVE-2025-48529: 
NixOS vulnerability analysis and mitigation

CVE-2025-48529 is an information disclosure vulnerability discovered in the Android Framework, specifically in the setRingtoneUri function of VoicemailNotificationSettingsUtil.java. The vulnerability was disclosed on September 4, 2025, affecting Android versions 13.0 through 16.0. This vulnerability stems from a possible cross-user data leak due to a confused deputy implementation (AttackerKB, ASEC).

The vulnerability exists in the Android Framework's voicemail notification settings mechanism. It specifically occurs in the setRingtoneUri function of VoicemailNotificationSettingsUtil.java, where a confused deputy implementation could lead to local information disclosure. The vulnerability has been assigned a CVSS v3 Base Score of 5.5 (Medium), with an Impact Score of 3.6 and Exploitability Score of 1.8. The attack vector is Local (AV:L), requiring Low privileges (PR:L) with No user interaction (UI:N) needed for exploitation (AttackerKB).

The vulnerability could lead to local information disclosure with no additional execution privileges needed. The potential impact primarily affects confidentiality (rated as High in the CVSS scoring), while having no direct impact on system integrity or availability. The vulnerability could allow unauthorized access to cross-user data through the voicemail notification settings (AttackerKB).

Google has addressed this vulnerability in the September 2025 security update. The fix involves removing the ability to save voicemail ringtone URIs in shared preferences and ensuring that TelephonyManager#getVoicemailRingtoneUri only queries from the notification channel. The patch also removes legacy code for migrating voicemail notification settings (Android Source).