CVE-2025-36911
Published Jan 15, 2026
Last updated 3 months ago
AI description
CVE-2025-36911, also known as "WhisperPair," is a vulnerability found in the key-based pairing process of Bluetooth audio accessories that utilize Google's Fast Pair protocol. The flaw stems from a logic error in the code, where devices may fail to properly verify if they are in pairing mode. This oversight allows an attacker in close physical proximity to exploit the vulnerability without requiring additional execution privileges or user interaction. Successful exploitation of CVE-2025-36911 can lead to remote information disclosure, potentially exposing users' conversations and location data. Attackers can forcibly pair vulnerable accessories with their own devices, gaining control over the audio device. This could enable actions such as playing audio at high volumes, recording conversations through the device's microphone, or tracking the user's location if the accessory supports Google's Find Hub network.
- Description
- In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation.
- Source
- dsap-vuln-management@google.com
- NVD status
- Modified
- Products
- android
CVSS 3.1
- Type
- Secondary
- Base score
- 7.1
- Impact score
- 4.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Severity
- HIGH
- Hype score
- Not currently trending
Tool for research on Bluetooth vulnerability CVE-2025-36911 https://t.co/iH6cuZNNTx https://t.co/QUx4UbCpeh
@Hermes_tooll
5 Mar 2026
294 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
Tool for research on Bluetooth vulnerability CVE-2025-36911 https://t.co/ORnsacARgE https://t.co/XCn31lChhT
@tom_doerr
5 Mar 2026
7182 Impressions
14 Retweets
126 Likes
113 Bookmarks
1 Reply
0 Quotes
Bluetooth常時ONのデバイスがどれだけ情報を漏洩するかパッシブスキャナーBluehoodで検証。Raspberry Piだけで近隣の行動パターンや在宅状況を把握でき、補聴器等のBLE無効化不可な機器も対象。CVE-2025-36911の公表も
@__su888
17 Feb 2026
37 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Hello @SonyFrance @Sony , est-ce que la dernière mise à jour du casque WH-1000XM4 (3.0.1) corrige bien la vulnérabilité whisperpair (CVE-2025-36911) ? Merci !
@MichtroyTwitch
6 Feb 2026
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Security Alert: WhisperPair Flaw in Fast Pair protocol (CVE-2025-36911) lets hackers hijack Bluetooth headphones: ⚠️ Risks: - Eavesdropping via mic - Location tracking - Forced pairing 🔍 Check your device: https://t.co/hmXfBF9s1X 🛠 Action: Update your fi
@SaadhJawwadh
4 Feb 2026
292 Impressions
0 Retweets
3 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 تحذير خطير لمستعملي سماعات البلوتوث 🚨 كاينة ثغرة أمنية جديدة CVE-2025-36911 كتهم طريقة الربط ديال بعض أجهزة البلوتوث. هاد الثغرة كتخلّي أي واحد قريب منك يقد
@spainfunk
3 Feb 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Just published a technical breakdown of Google Fast Pair and the WhisperPair vulnerability (CVE-2025-36911). Learn how static Fast Pair BLE advertisements enable passive tracking and why this matters for device privacy. Full article: https://t.co/WXzOiBfoa0 https://t.co/mpiLcKe
@Raging_Wolfie
29 Jan 2026
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📡 CVE-2025-36911: Fast Pair accepts KBP requests outside pairing mode. Full Python exploit + demo with RF Swift (https://t.co/F4v46bOvaX) 🎬 Re-adapted for CLI https://t.co/FlwibruAJM https://t.co/swk8gqSzsy
@PentHertz
27 Jan 2026
5793 Impressions
24 Retweets
52 Likes
35 Bookmarks
1 Reply
1 Quote
🚨 Tus audifonos Bluetooth pueden ser HACKEADOS para espiarte CVE-2025-36911 - WhisperPair ⚠️ Sony WH-1000XM4/5/6, Pixel Buds, Jabra, JBL afectados ⚠️ Atacante se conecta a 15 metros SIN tu permiso ⚠️ Puede escuchar por tu microfono Google pago $15K por este bug
@secnetnew
22 Jan 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
google fast pair ระเบิดไปเลยจ้าช่องโหว่ CVE-2025-36911
@johmddqnzydfzx
22 Jan 2026
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WPair es el PoC para la vulnerabilidad CVE-2025-36911 (WhisperPair) en millones de auriculares. Permite a pentesters demostrar el emparejamiento no autorizado y el acceso al micrófono en tests de seguridad. 🎧🔓 [#WPair #HackingEtico #Cybersecurity #Bluetooth #PoC] https://
@EsGeeks
21 Jan 2026
573 Impressions
4 Retweets
14 Likes
8 Bookmarks
2 Replies
0 Quotes
⚠️ Vulnerabilidades en dispositivos Google ❗ CVE-2025-48647 ❗ CVE-2025-36911 ➡️ Más info: https://t.co/rZnJU3Ih9k https://t.co/Z1qa4k15e1
@CERTpy
21 Jan 2026
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
‼️WPair is a defensive security research tool that demonstrates the CVE-2025-36911 (eg WhisperPair) vulnerability in Google's Fast Pair protocol. https://t.co/NFfNyzxdta Features: ▪️BLE Scanner - Discovers Fast Pair devices broadcasting the 0xFE2C service UUID ▪️V
@DarkWebInformer
20 Jan 2026
4956 Impressions
8 Retweets
38 Likes
20 Bookmarks
0 Replies
0 Quotes
🚨 WPair Scanner Released to Detect WhisperPair (CVE-2025-36911) Fast Pair Authentication Bypass A new open-source Android tool (WPair) can scan and safely test Bluetooth audio devices for the WhisperPair flaw, caused by missing signature verification and lack of user
@ThreatSynop
20 Jan 2026
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 WhisperPair Attack Forces Bluetooth Pairing to Hijack Earbuds and Track Victims WhisperPair (CVE-2025-36911) exploits flawed Google Fast Pair implementations that accept pairing requests even when devices aren’t in pairing mode, allowing attackers within ~14m to silently t
@ThreatSynop
20 Jan 2026
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 WhisperPair Flaw Lets Attackers Hijack Bluetooth Earbuds and Track Victims via Google Fast Pair Researchers disclosed a critical Fast Pair vulnerability (CVE-2025-36911 “WhisperPair”) where many accessories accept pairing requests even when not in pairing mode, enabling
@ThreatSynop
20 Jan 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GoogleのBluetooth簡単接続機能「Fast Pair」に、「WhisperPair」と呼ばれる重大な脆弱性(CVE-2025-36911)が発見されました。
@omomuki_tech
20 Jan 2026
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WhisperPair、数億台のBluetooth 機器に深刻な脆弱性 CVE-2025-36911-Google Fast Pairの不備による盗聴・追跡リスクの実態 https://t.co/FnROE455P3
@cybersecnews_jp
19 Jan 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 WhisperPair Vulnerability Exposed! 🎧🔓 WPair-app scanner demonstrates CVE-2025-36911 in Google's Fast Pair, affecting millions of Bluetooth audio devices. A must-see for #CyberSecurity #exploit #wireless #WhisperPair #FastPair #CVE202536911 https://t.co/FNmiwXjMPD
@TheExploitLab
19 Jan 2026
125 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WPair: app for testing Bluetooth WhisperPair vulnerability (CVE-2025-36911) WhisperPair vulnerability allows to hijacking Bluetooth headsets that use Google Fast Pair to spy on microphone and track their location https://t.co/1ebPoY03NN https://t.co/SmayGlj5Fo
@androidmalware2
19 Jan 2026
22852 Impressions
55 Retweets
373 Likes
283 Bookmarks
0 Replies
0 Quotes
CVE-2025-36911(Bluetooth機器の乗っ取り)だって。 ちょっと……私も危ういかもしれない。
@Eternal_Zunda
19 Jan 2026
106 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#WhisperPair、数億台のBluetooth 機器に深刻な脆弱性 CVE-2025-36911-Google Fast Pairの不備による盗聴・追跡リスクの実態 https://t.co/iDwBKFVWfU #セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
@securityLab_jp
18 Jan 2026
145 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WhisperPair, is a defensive security research tool that demonstrates the CVE-2025-36911 vulnerability in Google's Fast Pair protocol. https://t.co/Jm3NfnJgWw
@RooTkiT1XZ
18 Jan 2026
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub - zalexdev/wpair-app: WPair is a defensive security research tool that demonstrates the CVE-2025-36911 (eg WhisperPair) vulnerability in Google's Fast Pair protocol. This vulnerability affects millions of Bluetooth audio devices worldwide https://t.co/WLc0LreaGQ
@akaclandestine
18 Jan 2026
2581 Impressions
7 Retweets
35 Likes
31 Bookmarks
1 Reply
1 Quote
POV: Someone just paired to your earbuds CVE-2025-36911 — Fast Pair accepts pairing requests even when NOT in pairing mode - Silent attack, zero user interaction - 100M+ vulnerable devices - Mic access via HFP Android PoC → https://t.co/0eNlZaKAw6 #bluetooth #hacking
@zalexdev
17 Jan 2026
104 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
CVE-2025-36911 in Google's Fast Pair protocol allows you to do some really cool things with Bluetooth devices. Learn more here: https://t.co/KFTNkpUIep The Whisper Pair app lets you run the exploit easily: https://t.co/FkoZYKhwrw https://t.co/rpnC6eZNfl
@zeac3r
17 Jan 2026
121 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 WhisperPair Fast Pair Flaw Lets Attackers Hijack Millions of Bluetooth Audio Accessories SecurityWeek reports KU Leuven researchers found a critical Google Fast Pair implementation flaw (CVE-2025-36911) where vulnerable accessories don’t verify “pairing mode,” allowing
@ThreatSynop
16 Jan 2026
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
**Vulnerability Alert!** Millions of Bluetooth audio devices (headphones, earbuds) exposed by CVE-2025-36911 (WhisperPair). Attackers nearby (within 14m) can forcibly pair & potentially eavesdrop, hijack audio, or track your device via Find... #Cybersecurity #BluetoothSecurit
@LavxNews
16 Jan 2026
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Critical “WhisperPair” Bug Lets Hackers Track and Eavesdrop via Google Fast Pair Audio Devices Security researchers found a critical flaw in Google’s Fast Pair protocol (CVE-2025-36911) that allows nearby attackers to silently hijack vulnerable Bluetooth
@ThreatSynop
16 Jan 2026
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Une faille critique WhisperPair (CVE-2025-36911) touche des millions d’appareils audio Bluetooth avec Google Fast Pair. Elle permet le pistage, l’écoute et le détournement à distance. Mettez à jour le logiciel interne de l’appareil dès que possible. #chevalyeTek https
@williamboamson
16 Jan 2026
69 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-36911 In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversa… https://t.co/vOHTT5jlmI
@CVEnew
15 Jan 2026
91 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Researchers at KU Leuven disclose "WhisperPair" (CVE-2025-36911), a critical flaw in Google's Fast Pair that lets nearby attackers track and eavesdrop on hundreds of millions of Bluetooth audio devices. #Bluetooth https://t.co/6NHFW1PzZ4
@threatcluster
15 Jan 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical “WhisperPair” Flaw Lets Hackers Track & Eavesdrop via Bluetooth Audio Devices A critical weakness in Google’s Fast Pair protocol (CVE-2025-36911, “WhisperPair”) allows nearby attackers to silently hijack vulnerable earbuds/headphones/speakers, potentia
@ThreatSynop
15 Jan 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]