CVE-2025-48545: 
NixOS vulnerability analysis and mitigation

CVE-2025-48545 is a security vulnerability discovered in Android's AccountManagerService.java component, specifically in the isSystemUid function. The vulnerability was disclosed on September 4, 2025, affecting Android versions 13.0 through 16.0. This vulnerability is classified as an information disclosure issue in the Android framework (NVD, Android Bulletin).

The vulnerability is characterized as a confused deputy issue in the isSystemUid function of AccountManagerService.java, which could allow an application to access privileged APIs. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-441 (Unintended Proxy or Intermediary) (CISA Advisory).

The vulnerability allows unauthorized access to privileged APIs through a confused deputy attack. This could lead to local privilege escalation without requiring additional execution privileges. No user interaction is needed for exploitation, making it particularly concerning for Android security (AttackerKB).

Google has released a security patch as part of the September 2025 security update. The fix prevents SdkSandbox from bypassing the systemUid check, as evidenced by the patch commit. Users and organizations are advised to update their Android devices to the latest security patch level 2025-09-05 (Android Source).