CVE-2025-36937

Critical

Published: 11 December 2025

Published

11 December 2025

Modified

05 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36937 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the incorrect bounds check in AudioDecoder::HandleProduceRequest by enforcing validation of information inputs to prevent out-of-bounds writes.

SI-16 Memory Protection good match

prevent

Implements memory protections like guard pages and stack canaries to mitigate out-of-bounds write vulnerabilities even if input validation fails.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, testing, and patching of the flaw in audio_decoder.cc as detailed in the Android Pixel security bulletin.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via an out-of-bounds write in a network-accessible audio decoder component, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2025-36937 is a vulnerability in the AudioDecoder::HandleProduceRequest function of audio_decoder.cc, where an incorrect bounds check enables a possible out-of-bounds write. This issue affects Android systems, as documented in the Pixel security bulletin published on 2025-12-11.

The vulnerability enables remote code execution without additional execution privileges or user interaction. Per the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), an unauthenticated attacker can exploit it over the network with low attack complexity, achieving high impacts on confidentiality, integrity, and availability. It is associated with CWE-787 (Out-of-bounds Write).

The Android Pixel security bulletin at https://source.android.com/security/bulletin/pixel/2025-12-01 provides details on advisories and patches for mitigation.

Details

CWE(s): CWE-787

Affected Products

google

android

all versions

CVEs Like This One

CVE-2026-0116Same product: Google Android

CVE-2026-0120Same product: Google Android

CVE-2026-0114Same product: Google Android

CVE-2026-0113Same product: Google Android

CVE-2024-53842Same product: Google Android

CVE-2024-43096Same product: Google Android

CVE-2024-49748Same product: Google Android

CVE-2024-43768Same product: Google Android

CVE-2026-0123Same product: Google Android

CVE-2026-0010Same product: Google Android

References

https://source.android.com/security/bulletin/pixel/2025-12-01
Vendor Advisory · dsap-vuln-management@google.com