CVE-2025-36911

Name of the Vulnerable Software and Affected Versions Google Fast Pair (affected versions not specified)

Description A critical flaw exists in Google’s Fast Pair protocol, identified as WhisperPair (CVE-2025-36911). This flaw allows nearby attackers to silently hijack vulnerable Bluetooth headphones, earbuds, and speakers. The vulnerability stems from a logic error in key-based pairing, where devices accept pairing requests even when not in pairing mode. This enables attackers to re-pair with devices, potentially eavesdrop on conversations via the microphone, and track victims through Google Find Hub. The risk affects hundreds of millions of devices across many brands. Exploitation requires proximity (up to 14 meters) and can occur within approximately 10 seconds without user interaction. The vulnerability allows for unauthorized pairing and potential access to microphone functionality without the user's knowledge or consent. A tool called WPair has been developed to scan for and demonstrate the vulnerability.

Recommendations Apply firmware updates to your Bluetooth audio devices via companion apps.