Security Vulnerability Report
中文
CVE-2025-36921 CVSS 5.5 MEDIUM

CVE-2025-36921

Published: 2025-12-11 20:15:57
Last Modified: 2025-12-12 17:26:51
Source: [email protected]

Description

In ProtocolPsUnthrottleApn() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:* - VULNERABLE
Android Baseband Firmware (ProtocolPsUnthrottleApn < patched version)
Pixel devices with affected baseband firmware (2025-12-01 security patch before)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-36921 PoC Concept // This is a conceptual PoC demonstrating the out-of-bounds read vulnerability // in ProtocolPsUnthrottleApn() function // Note: Actual exploitation requires baseband firmware access // This PoC is for educational and security research purposes only #include <stdio.h> #include <string.h> // Simulated vulnerable function void ProtocolPsUnthrottleApn(char* apn_data, size_t length) { char buffer[256]; // Missing bounds check - vulnerability memcpy(buffer, apn_data, length); // Out of bounds read can occur here printf("Processing APN: %s\n", buffer); } // Malicious input to trigger OOB read void trigger_vulnerability() { // Crafted APN data that exceeds buffer boundary char malicious_apn[512]; memset(malicious_apn, 'A', 512); malicious_apn[511] = '\0'; // This will trigger out-of-bounds read ProtocolPsUnthrottleApn(malicious_apn, 512); } int main() { printf("CVE-2025-36921 PoC\n"); printf("Vulnerable Function: ProtocolPsUnthrottleApn\n"); printf("File: protocolpsadapter.cpp\n"); printf("Issue: Missing bounds check leads to OOB read\n\n"); trigger_vulnerability(); return 0; } // Mitigation: // 1. Add proper bounds checking before memory operations // 2. Use safe string functions with length parameters // 3. Implement input validation for APN data length // 4. Apply security updates from Google Android Security

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36921", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:56.647", "lastModified": "2025-12-12T17:26:51.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In ProtocolPsUnthrottleApn() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/pixel/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.