Overview
- Researchers identified the issue as CVE-2025-36911, revealed it after a 150‑day window, and said Google paid a $15,000 bounty while coordinating patches with manufacturers.
- Attackers can use any Bluetooth-capable device to forcibly pair with vulnerable accessories within roughly 14 meters without user interaction.
- Once paired, adversaries can track devices via Google's Find Hub, disrupt playback, and eavesdrop using onboard microphones.
- The risk spans Android and iOS because the weakness resides in the accessory; disabling Fast Pair on a phone does not stop the attack, so users must install firmware updates on each device.
- The researchers list affected products from major brands, including Sony WH-1000XM6/5/4, Nothing Ear (a), OnePlus Nord Buds 3 Pro, and Pixel Buds Pro 2, while noting that fixes may not yet be available for all models.