CVE-2025-48558: 
NixOS vulnerability analysis and mitigation

CVE-2025-48558 is a vulnerability discovered in Android's BatteryService.java component, disclosed on September 4, 2025. The vulnerability affects multiple versions of Android, including Android 13.0 through 16.0. It involves an implicit intent hijacking issue that could potentially allow unauthorized access to system app functionality (NVD, ASEC).

The vulnerability exists in multiple functions of BatteryService.java where implicit intent intended for system apps can be hijacked. The issue has been assigned a CVSS v3.1 base score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates local access is required, with low attack complexity and privilege requirements, and no user interaction needed. The vulnerability is classified under CWE-927 (Use of Implicit Intent for Sensitive Communication) (NVD, AttackerKB).

If exploited, this vulnerability could lead to local escalation of privilege with no additional execution privileges needed. The high CVSS impact scores for confidentiality, integrity, and availability (all rated as High) indicate that successful exploitation could result in significant system compromise (NVD).

Google has released a security patch to address this vulnerability in the September 5, 2025 Android security update. The fix prevents non-system ShutdownActivity from being launched by BatteryService. Users of affected Android versions (13.0 through 16.0) are advised to update their systems to the latest available version (Android Patch, ASEC).