CVE-2025-36937
Published: 11 December 2025
Description
In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the incorrect bounds check in AudioDecoder::HandleProduceRequest by enforcing validation of information inputs to prevent out-of-bounds writes.
Implements memory protections like guard pages and stack canaries to mitigate out-of-bounds write vulnerabilities even if input validation fails.
Requires timely identification, testing, and patching of the flaw in audio_decoder.cc as detailed in the Android Pixel security bulletin.
Security SummaryAI
CVE-2025-36937 is a vulnerability in the AudioDecoder::HandleProduceRequest function of audio_decoder.cc, where an incorrect bounds check enables a possible out-of-bounds write. This issue affects Android systems, as documented in the Pixel security bulletin published on 2025-12-11.
The vulnerability enables remote code execution without additional execution privileges or user interaction. Per the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), an unauthenticated attacker can exploit it over the network with low attack complexity, achieving high impacts on confidentiality, integrity, and availability. It is associated with CWE-787 (Out-of-bounds Write).
The Android Pixel security bulletin at https://source.android.com/security/bulletin/pixel/2025-12-01 provides details on advisories and patches for mitigation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via an out-of-bounds write in a network-accessible audio decoder component, directly mapping to exploitation of a public-facing application.