CVE-2025-36935
📋 TL;DR
This vulnerability allows local privilege escalation through memory corruption in Android's Trusty secure environment. Attackers can exploit uninitialized data in the trusty_ffa_mem_reclaim function to gain elevated privileges without user interaction. This affects Android devices with Trusty secure OS implementations.
💻 Affected Systems
- Google Pixel devices
- Android devices with Trusty secure OS
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise with root-level access, allowing installation of persistent malware, data theft, and bypassing security controls.
Likely Case
Local privilege escalation enabling attackers to access sensitive data, install malicious apps, or modify system settings.
If Mitigated
Limited impact with proper security controls like SELinux, verified boot, and app sandboxing in place.
🎯 Exploit Status
Exploitation requires local access but no user interaction. The vulnerability is in a secure environment component, making exploitation more complex than typical Android vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: December 2025 Android security patch or later
Vendor Advisory: https://source.android.com/security/bulletin/pixel/2025-12-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > System update. 2. Install the December 2025 security patch or later. 3. Reboot the device after installation completes.
🔧 Temporary Workarounds
No known workarounds
allThis is a kernel-level vulnerability requiring patching at the OS level.
🧯 If You Can't Patch
- Restrict physical access to devices and implement strict app installation policies
- Monitor for suspicious privilege escalation attempts using Android security logging
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version > Security patch level. If earlier than December 2025, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows December 2025 or later after applying update and rebooting.📡 Detection & Monitoring
Log Indicators:
- Unexpected Trusty secure environment crashes or errors in kernel logs
- Suspicious privilege escalation attempts in Android security logs
Network Indicators:
- No network indicators - this is a local vulnerability
SIEM Query:
source="android_logs" AND (message="*trusty*" OR message="*secure environment*" OR message="*privilege escalation*")