CVE-2025-36911
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: Google Devices

Description
In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-36911
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google fast_pair *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-36911, known as "WhisperPair," is a critical vulnerability in Bluetooth accessories that implement Google Fast Pair incorrectly. The flaw lies in the pairing process where accessories fail to ignore pairing initiation messages when not in pairing mode, allowing attackers to forcibly pair with devices without user consent. This enables attackers to gain control over the accessory, such as playing audio loudly or recording conversations, and to track the user's location persistently via Google's Find Hub network. The attack requires no user interaction and can be performed remotely using common hardware. [1]

Impact Analysis

This vulnerability can severely impact users by allowing attackers to remotely take control of vulnerable Bluetooth accessories, such as earbuds or speakers, without any user interaction. Attackers can play audio at high volumes, record conversations through microphones, and track the user's location persistently by exploiting integration with Google's Find Hub network. The attack can be executed from distances up to 14 meters using commodity hardware, compromising user privacy and security on a large scale. [1]

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized Fast Pair Bluetooth pairing attempts. Since the attack can be executed with commodity hardware like laptops or Raspberry Pi devices within Bluetooth range (up to 14 meters), you can scan for unexpected Bluetooth pairing requests or new paired devices that you did not authorize. Using Bluetooth scanning tools such as 'bluetoothctl' on Linux, you can list paired devices and monitor pairing events. For example, commands like 'bluetoothctl paired-devices' can show currently paired devices, and 'bluetoothctl scan on' can detect nearby Bluetooth devices initiating pairing. However, there are no specific commands detailed for detecting this vulnerability directly, so monitoring for unusual pairing activity is recommended. [1]

Mitigation Strategies

The immediate mitigation step is to install firmware updates provided by accessory manufacturers that patch this vulnerability. Disabling Fast Pair on phones does not prevent the attack, and factory resetting or unpairing devices does not fix the underlying issue. Users should verify patch availability with their device manufacturers and keep their Bluetooth accessories updated. Until patches are applied, the devices remain vulnerable to remote unauthorized pairing and potential information disclosure. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart