CVE-2025-36938 – This CVE describes a fault injection vulnerabil... (How to Fix)

📋 TL;DR

This CVE describes a fault injection vulnerability in U-Boot's append_uint32_le() function that could allow physical attackers to escalate privileges without user interaction. The vulnerability affects systems using vulnerable U-Boot versions, particularly Android devices with Pixel firmware. Exploitation requires physical access to the device.

💻 Affected Systems

Products:

Android Pixel devices
Systems using vulnerable U-Boot versions

Versions: U-Boot versions prior to fix in Android Security Bulletin December 2025

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Primarily affects Google Pixel devices as referenced in Android Security Bulletin. Other devices using vulnerable U-Boot versions may also be affected.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Physical attacker gains full control of the device boot process, potentially bypassing secure boot and installing persistent malware.

🟠

Likely Case

Physical attacker with specialized equipment could bypass boot security to gain elevated privileges on affected devices.

🟢

If Mitigated

With physical security controls and secure boot enabled, impact is limited to devices with direct physical access.

🌐 Internet-Facing: LOW - Requires physical access to device, not remotely exploitable.

🏢 Internal Only: MEDIUM - Physical access within organization could allow privilege escalation on vulnerable devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires physical access and fault injection equipment. No authentication needed but requires specialized hardware for timing/power analysis attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level December 2025

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2025-12-01

Restart Required: Yes

Instructions:

1. Apply December 2025 Android security update
2. For Pixel devices: Settings > System > System update
3. For other devices: Check manufacturer for U-Boot updates
4. Reboot device after update

🔧 Temporary Workarounds

Physical Security Controls

all

Implement physical security measures to prevent unauthorized physical access to devices

Secure Boot Enforcement

all

Ensure secure boot is enabled and properly configured

🧯 If You Can't Patch

Restrict physical access to vulnerable devices
Implement device tamper detection and monitoring

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level: Settings > About phone > Android version > Security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows December 2025 or later

📡 Detection & Monitoring

Log Indicators:

Unexpected device reboots
Bootloader modification attempts
Secure boot violations

SIEM Query:

Device boot events with suspicious timing or secure boot failures

📊 Metadata

CVE ID: CVE-2025-36938

CVSS v3 Score: 5.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-94

EPSS Score: 0.01% exploit probability (2.1th percentile)

Published: December 11, 2025

Last Updated: December 12, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2025-12-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36938, you might also want to check these: