CVE-2025-36911
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: Google Devices
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fast_pair | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-36911, known as "WhisperPair," is a critical vulnerability in Bluetooth accessories that implement Google Fast Pair incorrectly. The flaw lies in the pairing process where accessories fail to ignore pairing initiation messages when not in pairing mode, allowing attackers to forcibly pair with devices without user consent. This enables attackers to gain control over the accessory, such as playing audio loudly or recording conversations, and to track the user's location persistently via Google's Find Hub network. The attack requires no user interaction and can be performed remotely using common hardware. [1]
How can this vulnerability impact me? :
This vulnerability can severely impact users by allowing attackers to remotely take control of vulnerable Bluetooth accessories, such as earbuds or speakers, without any user interaction. Attackers can play audio at high volumes, record conversations through microphones, and track the user's location persistently by exploiting integration with Google's Find Hub network. The attack can be executed from distances up to 14 meters using commodity hardware, compromising user privacy and security on a large scale. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized Fast Pair Bluetooth pairing attempts. Since the attack can be executed with commodity hardware like laptops or Raspberry Pi devices within Bluetooth range (up to 14 meters), you can scan for unexpected Bluetooth pairing requests or new paired devices that you did not authorize. Using Bluetooth scanning tools such as 'bluetoothctl' on Linux, you can list paired devices and monitor pairing events. For example, commands like 'bluetoothctl paired-devices' can show currently paired devices, and 'bluetoothctl scan on' can detect nearby Bluetooth devices initiating pairing. However, there are no specific commands detailed for detecting this vulnerability directly, so monitoring for unusual pairing activity is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to install firmware updates provided by accessory manufacturers that patch this vulnerability. Disabling Fast Pair on phones does not prevent the attack, and factory resetting or unpairing devices does not fix the underlying issue. Users should verify patch availability with their device manufacturers and keep their Bluetooth accessories updated. Until patches are applied, the devices remain vulnerable to remote unauthorized pairing and potential information disclosure. [1]