AI description
CVE-2025-36911, also known as "WhisperPair," is a vulnerability found in the key-based pairing process of Bluetooth audio accessories that utilize Google's Fast Pair protocol. The flaw stems from a logic error in the code, where devices may fail to properly verify if they are in pairing mode. This oversight allows an attacker in close physical proximity to exploit the vulnerability without requiring additional execution privileges or user interaction. Successful exploitation of CVE-2025-36911 can lead to remote information disclosure, potentially exposing users' conversations and location data. Attackers can forcibly pair vulnerable accessories with their own devices, gaining control over the audio device. This could enable actions such as playing audio at high volumes, recording conversations through the device's microphone, or tracking the user's location if the accessory supports Google's Find Hub network.
- Description
- In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation.
- Source
- dsap-vuln-management@google.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.1
- Impact score
- 4.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Severity
- HIGH
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
11
🚨 WhisperPair Vulnerability Exposed! 🎧🔓 WPair-app scanner demonstrates CVE-2025-36911 in Google's Fast Pair, affecting millions of Bluetooth audio devices. A must-see for #CyberSecurity #exploit #wireless #WhisperPair #FastPair #CVE202536911 https://t.co/FNmiwXjMPD
@TheExploitLab
19 Jan 2026
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WPair: app for testing Bluetooth WhisperPair vulnerability (CVE-2025-36911) WhisperPair vulnerability allows to hijacking Bluetooth headsets that use Google Fast Pair to spy on microphone and track their location https://t.co/1ebPoY03NN https://t.co/SmayGlj5Fo
@androidmalware2
19 Jan 2026
3010 Impressions
9 Retweets
55 Likes
33 Bookmarks
0 Replies
0 Quotes
CVE-2025-36911(Bluetooth機器の乗っ取り)だって。 ちょっと……私も危ういかもしれない。
@Eternal_Zunda
19 Jan 2026
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#WhisperPair、数億台のBluetooth 機器に深刻な脆弱性 CVE-2025-36911-Google Fast Pairの不備による盗聴・追跡リスクの実態 https://t.co/iDwBKFVWfU #セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
@securityLab_jp
18 Jan 2026
109 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WhisperPair, is a defensive security research tool that demonstrates the CVE-2025-36911 vulnerability in Google's Fast Pair protocol. https://t.co/Jm3NfnJgWw
@RooTkiT1XZ
18 Jan 2026
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub - zalexdev/wpair-app: WPair is a defensive security research tool that demonstrates the CVE-2025-36911 (eg WhisperPair) vulnerability in Google's Fast Pair protocol. This vulnerability affects millions of Bluetooth audio devices worldwide https://t.co/WLc0LreaGQ
@akaclandestine
18 Jan 2026
2581 Impressions
7 Retweets
35 Likes
31 Bookmarks
1 Reply
1 Quote
POV: Someone just paired to your earbuds CVE-2025-36911 — Fast Pair accepts pairing requests even when NOT in pairing mode - Silent attack, zero user interaction - 100M+ vulnerable devices - Mic access via HFP Android PoC → https://t.co/0eNlZaKAw6 #bluetooth #hacking
@zalexdev
17 Jan 2026
104 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
CVE-2025-36911 in Google's Fast Pair protocol allows you to do some really cool things with Bluetooth devices. Learn more here: https://t.co/KFTNkpUIep The Whisper Pair app lets you run the exploit easily: https://t.co/FkoZYKhwrw https://t.co/rpnC6eZNfl
@zeac3r
17 Jan 2026
121 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 WhisperPair Fast Pair Flaw Lets Attackers Hijack Millions of Bluetooth Audio Accessories SecurityWeek reports KU Leuven researchers found a critical Google Fast Pair implementation flaw (CVE-2025-36911) where vulnerable accessories don’t verify “pairing mode,” allowing
@ThreatSynop
16 Jan 2026
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
**Vulnerability Alert!** Millions of Bluetooth audio devices (headphones, earbuds) exposed by CVE-2025-36911 (WhisperPair). Attackers nearby (within 14m) can forcibly pair & potentially eavesdrop, hijack audio, or track your device via Find... #Cybersecurity #BluetoothSecurit
@LavxNews
16 Jan 2026
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Critical “WhisperPair” Bug Lets Hackers Track and Eavesdrop via Google Fast Pair Audio Devices Security researchers found a critical flaw in Google’s Fast Pair protocol (CVE-2025-36911) that allows nearby attackers to silently hijack vulnerable Bluetooth
@ThreatSynop
16 Jan 2026
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Une faille critique WhisperPair (CVE-2025-36911) touche des millions d’appareils audio Bluetooth avec Google Fast Pair. Elle permet le pistage, l’écoute et le détournement à distance. Mettez à jour le logiciel interne de l’appareil dès que possible. #chevalyeTek https
@williamboamson
16 Jan 2026
69 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-36911 In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversa… https://t.co/vOHTT5jlmI
@CVEnew
15 Jan 2026
91 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Researchers at KU Leuven disclose "WhisperPair" (CVE-2025-36911), a critical flaw in Google's Fast Pair that lets nearby attackers track and eavesdrop on hundreds of millions of Bluetooth audio devices. #Bluetooth https://t.co/6NHFW1PzZ4
@threatcluster
15 Jan 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical “WhisperPair” Flaw Lets Hackers Track & Eavesdrop via Bluetooth Audio Devices A critical weakness in Google’s Fast Pair protocol (CVE-2025-36911, “WhisperPair”) allows nearby attackers to silently hijack vulnerable earbuds/headphones/speakers, potentia
@ThreatSynop
15 Jan 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes