CVE-2025-36929 – This vulnerability in Android's graphics subsys... (How to Fix)

Q: What is the severity of CVE-2025-36929?

CVE-2025-36929 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Android's graphics subsystem allows local information disclosure without requiring user interaction or elevated privileges. It affects Pixel devices running vulnerable Android versions, potentially exposing sensitive memory contents to local attackers.

📋 TL;DR

This vulnerability in Android's graphics subsystem allows local information disclosure without requiring user interaction or elevated privileges. It affects Pixel devices running vulnerable Android versions, potentially exposing sensitive memory contents to local attackers.

💻 Affected Systems

Products:

Google Pixel devices

Versions: Android versions prior to the December 2025 security update

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with the vulnerable graphics driver component; requires local access to the device.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive kernel memory containing passwords, encryption keys, or other protected data, leading to complete system compromise.

🟠

Likely Case

Limited information leak exposing non-critical system data or application memory, potentially enabling further attacks.

🟢

If Mitigated

No impact if patched; unpatched systems remain vulnerable to local information disclosure.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring local access to the device.

🏢 Internal Only: MEDIUM - Local attackers or malicious apps could exploit this to gain sensitive information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and understanding of graphics subsystem internals; no public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: December 2025 Android security update

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2025-12-01

Restart Required: Yes

Instructions:

1. Go to Settings > System > System update. 2. Check for and install the December 2025 security update. 3. Restart the device when prompted.

🔧 Temporary Workarounds

No effective workarounds

all

This is a kernel-level vulnerability requiring patching; no configuration changes can mitigate it.

🧯 If You Can't Patch

Restrict physical access to devices and limit app installation to trusted sources only
Monitor for suspicious local activity and implement application allowlisting

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security update

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows 'December 5, 2025' or later

📡 Detection & Monitoring

Log Indicators:

Unusual graphics driver errors in kernel logs
Suspicious memory access patterns

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Not applicable for network detection; monitor device logs for graphics subsystem anomalies

📊 Metadata

CVE ID: CVE-2025-36929

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-20

EPSS Score: 0.01% exploit probability (0.7th percentile)

Published: December 11, 2025

Last Updated: December 12, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2025-12-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36929, you might also want to check these: