Cyber Resilience

CVE-2025-36911

HighPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
28 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0001 0.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36911 is a high-severity an unspecified weakness vulnerability in Google Android. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and SC-40 (Wireless Link Protection).

Deeper analysis

CVE-2025-36911 is a logic error in key-based pairing that enables information disclosure. This vulnerability affects Android Pixel devices, as documented in the January 2026 Pixel security bulletin.

The attack vector is adjacent (AV:A) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). An attacker in proximal or adjacent range can remotely disclose sensitive user data, including conversations and location, with high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). The CVSS v3.1 base score is 7.1.

Mitigation details are provided in the Android Pixel security bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-01-01. Additional context on the affected component is available at https://whisperpair.eu/.

EU & UK References

Vulnerability details

In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed…

more

for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Logic error enables unauthorized adjacent-range disclosure of local device data (conversations, location), directly mapping to collection from local system sources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-53834Same product: Google Android
CVE-2025-48636Same product: Google Android
CVE-2024-56192Same product: Google Android
CVE-2026-0122Same product: Google Android
CVE-2026-0045Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2025-0075Same product: Google Android
CVE-2026-0078Same product: Google Android
CVE-2024-49738Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly governs wireless pairing and authentication mechanisms whose logic error enables the adjacent information disclosure.

prevent

Requires protection of wireless links used for key-based pairing, blocking the proximal/adjacent eavesdropping vector.

prevent

Enforces access decisions during pairing so the flawed logic cannot grant unauthorized access to conversations and location.

References