CVE-2025-36906 – This CVE describes a heap buffer overflow vulne... (How to Fix)

Q: What is the severity of CVE-2025-36906?

CVE-2025-36906 has a CVSS score of 7.8 (HIGH). This CVE describes a heap buffer overflow vulnerability in the ConvertReductionOp function of darwinn_mlir_converter_aidl.cc that allows local privilege escalation without user interaction. It affects Android devices, particularly Google Pixel phones, and could enable attackers to gain elevated system privileges. No additional execution privileges are needed for exploitation.

📋 TL;DR

This CVE describes a heap buffer overflow vulnerability in the ConvertReductionOp function of darwinn_mlir_converter_aidl.cc that allows local privilege escalation without user interaction. It affects Android devices, particularly Google Pixel phones, and could enable attackers to gain elevated system privileges. No additional execution privileges are needed for exploitation.

💻 Affected Systems

Products:

Google Pixel phones
Android devices using affected components

Versions: Android versions prior to the September 2025 security update

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the darwinn_mlir_converter_aidl.cc component used in machine learning acceleration. Pixel devices are confirmed affected; other Android devices using similar components may also be vulnerable.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain root/system-level privileges on the device, potentially compromising all user data, installing persistent malware, or using the device as a foothold for network attacks.

🟠

Likely Case

Local attackers or malicious apps could escalate privileges to access protected system resources, sensitive user data, or perform actions beyond their normal permissions.

🟢

If Mitigated

With proper security controls like SELinux, app sandboxing, and timely patching, the impact would be limited to denial of service or minimal privilege escalation within constrained contexts.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Malicious apps or users with physical/network access to devices could exploit this to gain elevated privileges on affected Android systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access but no user interaction. The heap buffer overflow in ConvertReductionOp function could be leveraged for privilege escalation through careful memory manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android September 2025 security update

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2025-09-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Download and install the September 2025 Android security update. 3. Reboot the device after installation completes. 4. Verify the patch is applied by checking the security patch level in Settings > About phone.

🔧 Temporary Workarounds

Disable unnecessary ML/neural network features

android

Temporarily disable machine learning acceleration features that use the vulnerable component

Restrict app permissions

android

Limit app permissions and install only trusted applications to reduce attack surface

🧯 If You Can't Patch

Isolate affected devices from sensitive networks and data
Implement strict app installation policies and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check security patch level in Settings > About phone. If before September 2025, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows 'September 5, 2025' or later in Settings > About phone.

📡 Detection & Monitoring

Log Indicators:

Kernel crash logs
SELinux denials related to darwinn_mlir_converter
Unexpected privilege escalation attempts

Network Indicators:

Unusual outbound connections from system processes after local compromise

SIEM Query:

Process elevation from non-privileged to privileged context without legitimate cause

📊 Metadata

CVE ID: CVE-2025-36906

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.01% exploit probability (0.4th percentile)

Published: September 4, 2025

Last Updated: September 8, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2025-09-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36906, you might also want to check these: