CVE-2025-36911Missing Release of Memory after Effective Lifetime in Google Android

CWE-401Missing Release of Memory after Effective Lifetime6 documents6 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 99.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Android
Timeline
PublishedJan 15

Description

In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages1 packages

CVEListV5google/androidAndroid kernel

🔴Vulnerability Details

3
GHSA
GHSA-6fxf-xg6m-34hj: In key-based pairing, there is a possible ID due to a logic error in the code2026-01-15
CVEList
CVE-2025-36911: In key-based pairing, there is a possible ID due to a logic error in the code2026-01-15
OSV
CVE-2025-36911: In key-based pairing, there is a possible ID due to a logic error in the code2026-01-01

📋Vendor Advisories

1
Microsoft
hv_netvsc: Don't free decrypted memory2024-05-14

🕵️Threat Intelligence

1
Bleepingcomputer
Critical WhisperPair flaw lets hackers track, eavesdrop via Bluetooth audio devices2026-01-15
CVE-2025-36911 — Google Android vulnerability | cvebase