CVE-2025-36937 — Out-of-bounds Write in Google Android

CWE-787 — Out-of-bounds Write4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.2%
top 52.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Android
Timeline
PublishedDec 11

Description

In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

â–¶CVEListV5google/androidAndroid kernel

🔴Vulnerability Details

3
GHSA
GHSA-cm32-294h-q3jh: In AudioDecoder::HandleProduceRequest of audio_decoder↗2025-12-11
â–¶
CVEList
CVE-2025-36937: In AudioDecoder::HandleProduceRequest of audio_decoder↗2025-12-11
â–¶
OSV
CVE-2025-36937: In AudioDecoder::HandleProduceRequest of audio_decoder↗2025-12-01
â–¶
CVE-2025-36937 — Out-of-bounds Write in Google Android | cvebase