CVE-2025-48548: 
NixOS vulnerability analysis and mitigation

CVE-2025-48548 is a race condition vulnerability discovered in multiple functions of AppOpsControllerImpl.java in Android operating system. The vulnerability was disclosed on September 4, 2025, affecting Android versions 13.0, 14.0, and 15.0. The issue allows recording audio without displaying the privacy indicator, which could lead to local escalation of privilege (NVD).

The vulnerability stems from a race condition in the AppOpsControllerImpl.java implementation where there is improper synchronization in handling audio recording permissions. It has been assigned a CVSS v3.1 base score of 7.3 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (AttackerKB).

The vulnerability could allow an attacker to bypass the privacy indicator when recording audio, potentially leading to unauthorized audio recording without user awareness. This could result in local privilege escalation with user execution privileges. The impact is particularly significant as it affects the privacy and security mechanisms designed to alert users about active audio recording (NVD).

Google has released security patches to address this vulnerability in the September 2025 security update. Users are strongly advised to update their Android devices to the latest security patch level. The fix includes validating the full attribute chain for recording and correcting the AppOps refcount mismatch (Android Git).