Cyber Resilience

CVE-2025-36897

Critical

Published: 04 September 2025

Published
04 September 2025
Modified
05 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36897 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 44.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-36897 is a critical vulnerability (CVSS 9.8) involving a possible out-of-bounds write due to a missing bounds check in cd_CnMsgCodecUserApi.cpp (CWE-787). It affects Google Pixel devices, as documented in the Android security bulletin for September 2025.

A remote attacker can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) required. Successful exploitation could lead to remote code execution in the context of the affected component (C:H/I:H/A:H), without additional execution privileges needed.

The Android Pixel security bulletin dated 2025-09-01 addresses this issue with patches for affected devices. For mitigation details, refer to https://source.android.com/security/bulletin/pixel/2025-09-01.

EU & UK References

Vulnerability details

In unknown of cd_CnMsgCodecUserApi.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Out-of-bounds write with AV:N/UI:N/PR:N directly enables unauthenticated remote code execution on the client device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0122Same product: Google Android
CVE-2024-49749Same product: Google Android
CVE-2024-53842Same product: Google Android
CVE-2026-0120Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2024-43767Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2026-0113Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces bounds checking on untrusted network inputs to the message codec API, preventing the out-of-bounds write vulnerability.

prevent

Implements memory protections such as ASLR, DEP, and stack canaries to block remote code execution from buffer overflow exploits.

prevent

Mandates identification, reporting, and patching of the specific out-of-bounds write flaw in cd_CnMsgCodecUserApi.cpp to eliminate the vulnerability.

References