CVE-2025-36920 is a vulnerability identified in the Android kernel, specifically within the ARM64 KVM hypervisor allocator component (hyp_alloc) located in arch/arm64/kvm/hyp/nvhe/alloc.c. The flaw stems from improper input validation that leads to an out-of-bounds write, classified under CWE-787 (Out-of-bounds Write) and CWE-20 (Improper Input Validation). This vulnerability allows a local attacker with no prior elevated privileges to perform a memory corruption attack, resulting in elevation of privilege on the device. The attacker does not require any additional execution privileges or user interaction, making the exploit straightforward once local access is obtained. The impact includes full compromise of confidentiality, integrity, and availability of the affected Android device, as the attacker can gain kernel-level privileges. The vulnerability affects the Android kernel on ARM64 architectures, which underpin the majority of modern Android smartphones and tablets. Although no exploits have been reported in the wild yet, the CVSS v3.1 base score of 8.4 reflects the high risk posed by this vulnerability. The flaw was reserved in April 2025 and published in March 2026, indicating a recent discovery and disclosure. The absence of patch links suggests that fixes may still be pending or in development. This vulnerability is critical for device manufacturers, mobile operators, and end users relying on Android devices for secure operations.

The vulnerability enables a local attacker to escalate privileges to kernel level, potentially gaining full control over the affected Android device. This can lead to unauthorized access to sensitive data, installation of persistent malware, bypassing of security controls, and disruption of device functionality. Given the widespread use of Android devices globally, the impact extends to personal users, enterprises, and critical infrastructure relying on mobile platforms. Attackers exploiting this flaw could compromise corporate mobile endpoints, leading to data breaches and lateral movement within enterprise networks. The lack of requirement for user interaction increases the risk of automated or stealthy exploitation. The vulnerability could also undermine trust in Android device security, affecting ecosystem stakeholders. Although no known exploits exist currently, the high severity and ease of exploitation make timely remediation essential to prevent future attacks.

1. Apply official security patches from Google and device manufacturers promptly once available to fix the input validation and memory management issues in hyp_alloc. 2. Until patches are deployed, restrict local access to devices by enforcing strong physical security and limiting untrusted app installations. 3. Employ mobile device management (MDM) solutions to monitor and control device configurations and detect suspicious privilege escalation attempts. 4. Use security features such as SELinux enforcing mode and verified boot to reduce the impact of kernel-level compromises. 5. Educate users and administrators about the risks of local privilege escalation vulnerabilities and the importance of timely updates. 6. For organizations, consider network segmentation and endpoint detection to limit the spread of potential compromises originating from mobile devices. 7. Monitor security advisories from Google and Android OEMs for updates on patches and exploit developments. 8. Conduct regular security assessments and penetration testing focusing on local privilege escalation vectors in mobile environments.