CVE-2025-36911
Published: 15 January 2026
Summary
CVE-2025-36911 is a high-severity an unspecified weakness vulnerability in Google Android. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Logic error enables unauthorized adjacent-range disclosure of local device data (conversations, location), directly mapping to collection from local system sources.
NVD Description
In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed…
more
for exploitation.
Deeper analysisAI
CVE-2025-36911 is a logic error in key-based pairing that enables information disclosure. This vulnerability affects Android Pixel devices, as documented in the January 2026 Pixel security bulletin.
The attack vector is adjacent (AV:A) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). An attacker in proximal or adjacent range can remotely disclose sensitive user data, including conversations and location, with high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). The CVSS v3.1 base score is 7.1.
Mitigation details are provided in the Android Pixel security bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-01-01. Additional context on the affected component is available at https://whisperpair.eu/.
Details
- CWE(s)