SB2025120236 - Multiple vulnerabilities in Google Pixel

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025120236

SB2025120236 - Multiple vulnerabilities in Google Pixel

Published: December 2, 2025

Security Bulletin ID SB2025120236
Severity
High
Patch available
YES
Number of vulnerabilities 27
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 4% Medium 11% Low 85%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 27 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2025-36932)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the CPM subcomponent in Pixel. A local application can execute arbitrary code.


2) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2025-36929)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the TPU Functional patchesFor details on the new bug fixes and functional patches included in thisrelease, refer to the Pixel Community forum.Common questions and answersThis section answers common questions that may occur after reading thisbulletin.1. How do I determine if my device is updated to address these issues?Security patch levels of 2025-12-05 or later address all issues associated with the 2025-12-05 security patch level and all previous patch levels. To learn how to check a device\'s security patch level, read the instructions on the Google device update schedule.2. What do the entries in the Type column mean?Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability. subcomponent in Pixel. A local application can gain access to sensitive information.


3) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2025-36921)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Exynos RIL subcomponent in Pixel. A local application can gain access to sensitive information.


4) Improper input validation (CVE-ID: CVE-2025-36938)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Pixel Tablet Dock subcomponent in Pixel. A local application can execute arbitrary code.


5) Improper input validation (CVE-ID: CVE-2025-36922)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the gChip subcomponent in Pixel. A local application can execute arbitrary code.


6) Improper input validation (CVE-ID: CVE-2025-36917)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Exynos-SLSI subcomponent in Pixel. A local application can perform a denial of service (DoS) attack.


7) Improper input validation (CVE-ID: CVE-2025-36912)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Cellular Modem subcomponent in Pixel. A local application can perform a denial of service (DoS) attack.


8) Input validation error (CVE-ID: CVE-2025-26782)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of RLC AM PDUs within the L2 component. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


9) Input validation error (CVE-ID: CVE-2025-26781)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of RLC AM PDUs within the L2 component. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


10) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2025-36889)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Camera2 subcomponent in Pixel. A local application can gain access to sensitive information.


11) Improper input validation (CVE-ID: CVE-2025-36936)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the TPU subcomponent in Pixel. A local application can execute arbitrary code.


12) Improper input validation (CVE-ID: CVE-2025-36934)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the BigWave subcomponent in Pixel. A local application can execute arbitrary code.


13) Improper input validation (CVE-ID: CVE-2025-36931)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the TPU subcomponent in Pixel. A local application can execute arbitrary code.


14) Integer overflow (CVE-ID: CVE-2025-54957)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow when handling media files. A remote attacker can trick the victim into opening a specially crafted media file, trigger an integer overflow and perform a denial of service (DoS) attack.


15) Improper input validation (CVE-ID: CVE-2025-36930)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the TPU subcomponent in Pixel. A local application can execute arbitrary code.


16) Improper input validation (CVE-ID: CVE-2025-36928)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the TPU subcomponent in Pixel. A local application can execute arbitrary code.


17) Improper input validation (CVE-ID: CVE-2025-36927)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the TPU subcomponent in Pixel. A local application can execute arbitrary code.


18) Improper input validation (CVE-ID: CVE-2025-36925)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the AOC subcomponent in Pixel. A local application can execute arbitrary code.


19) Improper input validation (CVE-ID: CVE-2025-36924)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Modem subcomponent in Pixel. A local application can execute arbitrary code.


20) Improper input validation (CVE-ID: CVE-2025-36923)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Modem subcomponent in Pixel. A local application can execute arbitrary code.


21) Improper input validation (CVE-ID: CVE-2025-36919)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the AoC subcomponent in Pixel. A local application can execute arbitrary code.


22) Improper input validation (CVE-ID: CVE-2025-36918)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the AoC subcomponent in Pixel. A local application can execute arbitrary code.


23) Improper input validation (CVE-ID: CVE-2025-36916)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the TPU subcomponent in Pixel. A local application can execute arbitrary code.


24) Improper input validation (CVE-ID: CVE-2025-32335)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the rild subcomponent in Pixel. A local application can execute arbitrary code.


25) Improper input validation (CVE-ID: CVE-2024-8257)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the eSIM subcomponent in Pixel. A local application can execute arbitrary code.


26) Improper input validation (CVE-ID: CVE-2025-36937)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the AOC subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.


27) Improper input validation (CVE-ID: CVE-2025-36935)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Trusty subcomponent in Pixel. A local application can execute arbitrary code.


Remediation

Install update from vendor's website.

References