CVE-2025-36897

Critical

Published: 04 September 2025

Published

04 September 2025

Modified

05 September 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36897 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces bounds checking on untrusted network inputs to the message codec API, preventing the out-of-bounds write vulnerability.

SI-16 Memory Protection good match

prevent

Implements memory protections such as ASLR, DEP, and stack canaries to block remote code execution from buffer overflow exploits.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and patching of the specific out-of-bounds write flaw in cd_CnMsgCodecUserApi.cpp to eliminate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Out-of-bounds write with AV:N/UI:N/PR:N directly enables unauthenticated remote code execution on the client device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In unknown of cd_CnMsgCodecUserApi.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2025-36897 is a critical vulnerability (CVSS 9.8) involving a possible out-of-bounds write due to a missing bounds check in cd_CnMsgCodecUserApi.cpp (CWE-787). It affects Google Pixel devices, as documented in the Android security bulletin for September 2025.

A remote attacker can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) required. Successful exploitation could lead to remote code execution in the context of the affected component (C:H/I:H/A:H), without additional execution privileges needed.

The Android Pixel security bulletin dated 2025-09-01 addresses this issue with patches for affected devices. For mitigation details, refer to https://source.android.com/security/bulletin/pixel/2025-09-01.

Details

CWE(s): CWE-787

Affected Products

google

android

all versions

CVEs Like This One

CVE-2026-0122Same product: Google Android

CVE-2024-49749Same product: Google Android

CVE-2024-53842Same product: Google Android

CVE-2026-0010Same product: Google Android

CVE-2026-0113Same product: Google Android

CVE-2024-53838Same product: Google Android

CVE-2024-49748Same product: Google Android

CVE-2025-36937Same product: Google Android

CVE-2026-0111Same product: Google Android

CVE-2026-0123Same product: Google Android

References

https://source.android.com/security/bulletin/pixel/2025-09-01
Vendor Advisory · dsap-vuln-management@google.com