CVE-2025-36920 is a vulnerability identified in the ARM64 KVM hypervisor allocator component (hyp_alloc) of the Android kernel. The issue stems from improper input validation leading to an out-of-bounds write in the kernel memory space. This flaw allows a local attacker, who already has some level of code execution on the device, to perform an elevation of privilege attack by corrupting kernel memory structures. The vulnerability does not require additional execution privileges beyond local access, nor does it require user interaction, making it more dangerous in scenarios where an attacker has limited access but can execute code locally, such as through a compromised app or local shell. The affected component is critical as it manages memory allocation for the hypervisor on ARM64 architectures, meaning exploitation could lead to full kernel compromise, allowing attackers to bypass security mechanisms, access sensitive data, or install persistent malware. No CVSS score has been assigned yet, and no public exploits have been reported, but the nature of the vulnerability suggests a high risk. The vulnerability affects Android devices running kernels with the ARM64 KVM hypervisor enabled, which is common in modern Android devices supporting virtualization features. The flaw was reserved in April 2025 and published in March 2026, indicating a recent discovery and disclosure. The lack of patches at the time of reporting means devices remain vulnerable until updates are released and applied.

The primary impact of CVE-2025-36920 is the potential for local attackers to gain elevated privileges on affected Android devices, leading to full kernel-level control. This can compromise the confidentiality, integrity, and availability of the device by allowing attackers to bypass sandboxing, access sensitive user data, install persistent malware, or disrupt device operations. Organizations relying on Android devices for sensitive communications or operations could face data breaches, espionage, or sabotage. The vulnerability's exploitation does not require user interaction, increasing the risk of automated or stealthy attacks once local access is obtained. Although no known exploits are currently in the wild, the vulnerability's characteristics make it attractive for attackers targeting high-value Android devices, including those used in enterprise, government, or critical infrastructure contexts. The scope of affected systems is broad given Android's global market penetration, especially in ARM64-based devices supporting virtualization. The vulnerability could also facilitate lateral movement within compromised networks if attackers escalate privileges on devices used as entry points.

To mitigate CVE-2025-36920, organizations and users should: 1) Monitor for official security patches from Google and device manufacturers and apply them promptly once available. 2) Restrict local access to devices by enforcing strong authentication and limiting physical or remote shell access to trusted users only. 3) Employ application whitelisting and runtime protections to prevent untrusted code execution that could lead to local exploitation. 4) Disable or restrict virtualization features (KVM) on devices where not required to reduce the attack surface. 5) Use mobile device management (MDM) solutions to enforce security policies and monitor for suspicious activity indicative of privilege escalation attempts. 6) Conduct regular security audits and penetration testing focusing on local privilege escalation vectors. 7) Educate users about the risks of installing untrusted applications or granting unnecessary permissions that could facilitate local code execution. These steps, combined with timely patching, will reduce the risk of exploitation and limit the potential damage from this vulnerability.