CVE-2025-36920: Google Android Privilege Escalation Flaw

CVE-2025-36920 Overview

CVE-2025-36920 is an out-of-bounds write vulnerability discovered in the Linux kernel's KVM (Kernel-based Virtual Machine) hypervisor component on Android devices. The vulnerability exists in the hyp_alloc function within arch/arm64/kvm/hyp/nvhe/alloc.c, where improper input validation allows attackers to write data beyond allocated memory boundaries. This memory corruption flaw could enable local privilege escalation without requiring any additional execution privileges or user interaction.

Critical Impact

This vulnerability allows local attackers to escalate privileges on affected Android devices without user interaction, potentially gaining full system control through kernel-level memory corruption.

Affected Products

• Google Android (all versions prior to March 2026 security patch)

Discovery Timeline

• 2026-03-10 - CVE-2025-36920 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2025-36920

Vulnerability Analysis

The vulnerability resides in the ARM64 KVM hypervisor's non-VHE (Virtual Host Extension) memory allocation subsystem. The hyp_alloc function in arch/arm64/kvm/hyp/nvhe/alloc.c fails to properly validate input parameters before performing memory allocation operations. This improper input validation (CWE-20) creates a condition where an attacker can trigger an out-of-bounds write operation.

The flaw is particularly concerning because it exists at the hypervisor level, which operates with elevated privileges to manage virtual machine memory. When exploited, the out-of-bounds write can corrupt adjacent memory structures, potentially allowing an attacker to modify kernel data structures or code pointers.

The attack requires local access to the device but does not require the attacker to have any special privileges or convince a user to perform any action. This makes the vulnerability particularly dangerous on multi-user devices or devices that may run untrusted applications.

Root Cause

The root cause of CVE-2025-36920 is improper input validation in the hyp_alloc function. The function does not adequately verify the size or boundaries of allocation requests before processing them, allowing malformed inputs to trigger memory writes outside the intended buffer boundaries. This is a classic example of CWE-20 (Improper Input Validation) leading to CWE-787 (Out-of-bounds Write).

Attack Vector

The attack vector is local, meaning an attacker must have the ability to execute code on the target Android device. The exploitation path involves:

1. An attacker runs malicious code locally on the device (e.g., through a malicious app)
2. The malicious code crafts specially designed inputs targeting the KVM hypervisor allocation mechanism
3. These inputs trigger the improper validation flaw in hyp_alloc
4. The resulting out-of-bounds write corrupts kernel memory structures
5. The attacker leverages this corruption to escalate privileges to kernel level

The vulnerability is exploitable without any user interaction, meaning a malicious application running in the background could potentially exploit this flaw silently.

Detection Methods for CVE-2025-36920

Indicators of Compromise

• Unexpected crashes or kernel panics related to KVM hypervisor operations
• Suspicious processes attempting to interact with virtualization subsystems
• Anomalous memory allocation patterns in kernel logs related to hyp_alloc
• Unauthorized privilege escalation events from unprivileged applications

Detection Strategies

• Monitor system logs for KVM-related errors or unusual hypervisor activity
• Implement kernel-level integrity monitoring to detect memory corruption
• Deploy mobile threat detection solutions capable of identifying privilege escalation attempts
• Review installed applications for suspicious behavior patterns targeting kernel interfaces

Monitoring Recommendations

• Enable verbose logging for KVM and virtualization subsystems where possible
• Deploy endpoint detection and response (EDR) solutions with kernel-level visibility
• Monitor for applications requesting unusual permissions or accessing low-level system interfaces
• Implement application vetting processes to detect potentially malicious code before installation

How to Mitigate CVE-2025-36920

Immediate Actions Required

• Apply the March 2026 Android security update immediately on all affected devices
• Review installed applications and remove any that are untrusted or from unknown sources
• Enable automatic security updates to ensure timely patch deployment
• For enterprise environments, prioritize patch deployment through mobile device management (MDM) solutions

Patch Information

Google has addressed this vulnerability in the Android Security Bulletin for March 2026. Organizations and users should update their Android devices to the March 2026 security patch level or later. Detailed patch information is available in the Android Security Documentation.

Workarounds

• Limit installation of applications to trusted sources only (Google Play Store with Play Protect enabled)
• Implement mobile device management policies that restrict application installations
• Consider network segmentation for devices that cannot be immediately patched
• Enable SELinux in enforcing mode to limit potential exploit impact (default on most Android devices)