Cyber Resilience

CVE-2025-36937

Critical

Published: 11 December 2025

Published
11 December 2025
Modified
05 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36937 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-36937 is a vulnerability in the AudioDecoder::HandleProduceRequest function of audio_decoder.cc, where an incorrect bounds check enables a possible out-of-bounds write. This issue affects Android systems, as documented in the Pixel security bulletin published on 2025-12-11.

The vulnerability enables remote code execution without additional execution privileges or user interaction. Per the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), an unauthenticated attacker can exploit it over the network with low attack complexity, achieving high impacts on confidentiality, integrity, and availability. It is associated with CWE-787 (Out-of-bounds Write).

The Android Pixel security bulletin at https://source.android.com/security/bulletin/pixel/2025-12-01 provides details on advisories and patches for mitigation.

EU & UK References

Vulnerability details

In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote code execution via an out-of-bounds write in a network-accessible audio decoder component, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0120Same product: Google Android
CVE-2026-0116Same product: Google Android
CVE-2026-0114Same product: Google Android
CVE-2026-0113Same product: Google Android
CVE-2024-53842Same product: Google Android
CVE-2026-0122Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2024-49749Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2024-53838Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the incorrect bounds check in AudioDecoder::HandleProduceRequest by enforcing validation of information inputs to prevent out-of-bounds writes.

prevent

Implements memory protections like guard pages and stack canaries to mitigate out-of-bounds write vulnerabilities even if input validation fails.

prevent

Requires timely identification, testing, and patching of the flaw in audio_decoder.cc as detailed in the Android Pixel security bulletin.

References