Security Vulnerability Report
中文
CVE-2025-36927 CVSS 7.8 HIGH

CVE-2025-36927

Published: 2025-12-11 20:15:57
Last Modified: 2025-12-12 17:36:25
Source: [email protected]

Description

In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:* - VULNERABLE
Android Tachyon组件 < 2025-12-01安全补丁版本
Pixel设备受影响版本(具体版本需查阅官方公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-36927 PoC - Android Tachyon Out-of-Bounds Write // This PoC demonstrates the vulnerability in GetTachyonCommand #include <stdio.h> #include <string.h> #include <stdlib.h> // Simulated vulnerable function from tachyon_server_common.h void GetTachyonCommand(char* input, char* output, size_t output_size) { // Vulnerable: No bounds checking on input length // Attackers can overflow the output buffer size_t i = 0; while (input[i] != '\0' && i < output_size - 1) { output[i] = input[i]; i++; } output[i] = '\0'; } // Malicious input generator char* generate_malicious_input(size_t length) { char* payload = malloc(length + 1); memset(payload, 'A', length); payload[length] = '\0'; return payload; } int main() { char output_buffer[64]; // Small buffer for demonstration // Generate oversized input to trigger OOB write size_t malicious_length = 128; // Exceeds buffer size char* malicious_input = generate_malicious_input(malicious_length); printf("[*] CVE-2025-36927 PoC\n"); printf("[*] Triggering OOB write in GetTachyonCommand\n"); // This will write beyond buffer boundaries GetTachyonCommand(malicious_input, output_buffer, sizeof(output_buffer)); printf("[!] Buffer overflow triggered\n"); printf("[!] Input length: %zu\n", malicious_length); printf("[!] Buffer size: %zu\n", sizeof(output_buffer)); free(malicious_input); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36927", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:57.227", "lastModified": "2025-12-12T17:36:25.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/pixel/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.