Overview
- KU Leuven researchers publicly disclosed CVE-2025-36911, a Fast Pair implementation flaw affecting dozens of models across major brands and potentially hundreds of millions of accessories.
- Many devices fail to enforce the requirement to ignore pairing requests when not in pairing mode, enabling force-pair attacks within seconds at ranges up to about 14–15 meters.
- Once paired, attackers can disrupt playback, inject audio, access microphones to eavesdrop, and in first‑to‑pair scenarios register devices to their Google account for Find Hub tracking.
- Google says it coordinated fixes with OEMs, updated certification tools, issued a Find Hub mitigation, and saw no real‑world exploitation, while researchers reported a workaround to that mitigation.
- Remediation depends on accessory firmware updates from manufacturers; some devices are already patched (including Pixel Buds and models from Jabra and Logitech), others are pending, and users can check a public catalog to verify status.