CVE-2025-36921 is a vulnerability identified in the Android kernel component, specifically within the ProtocolPsUnthrottleApn() function in protocolpsadapter.cpp. The root cause is a missing bounds check that leads to an out-of-bounds read operation. This type of flaw can result in local information disclosure, meaning that an attacker with local access and control over the baseband firmware can read memory areas beyond intended boundaries. The baseband firmware is a critical component responsible for cellular communication functions, and its compromise is a prerequisite for exploiting this vulnerability. Since the flaw does not require user interaction, an attacker who has already compromised the baseband could leverage this vulnerability to extract sensitive information from the device's memory, potentially including cryptographic keys, user data, or other confidential information. The vulnerability affects the Android kernel, which is foundational to the operating system's security and stability. No CVSS score has been assigned yet, and there are no known exploits in the wild. The vulnerability was reserved in April 2025 and published in December 2025. Due to the nature of the vulnerability, it is primarily a local threat requiring sophisticated access, but the impact on confidentiality can be significant if exploited. The lack of patch links suggests that fixes may still be pending or in development.

For European organizations, the impact of CVE-2025-36921 could be significant, particularly for those relying heavily on Android devices for secure communications, mobile workforce, or critical infrastructure management. The vulnerability could lead to unauthorized disclosure of sensitive information stored or processed on Android devices, undermining confidentiality and potentially enabling further attacks. Organizations in sectors such as finance, government, telecommunications, and defense are especially at risk due to the sensitive nature of their data and operations. The requirement for baseband firmware compromise raises the attack complexity but also indicates a high-value target scenario, as attackers capable of such compromise are likely advanced threat actors. The absence of user interaction lowers the barrier for exploitation once baseband control is achieved. This vulnerability could also affect mobile network operators and device manufacturers in Europe, who must ensure firmware integrity and timely patching to prevent exploitation. Overall, the threat could erode trust in Android devices and impact compliance with data protection regulations like GDPR if sensitive data is leaked.

Mitigation should focus on multiple layers: 1) Promptly applying security patches from Google and device manufacturers once available to address the missing bounds check in the Android kernel. 2) Strengthening baseband firmware security by employing secure boot, firmware integrity verification, and restricting unauthorized firmware modifications to prevent initial compromise. 3) Implementing robust endpoint security solutions on Android devices that can detect anomalous behavior indicative of baseband compromise or kernel exploitation attempts. 4) Network-level protections such as monitoring for unusual cellular traffic patterns that may indicate baseband attacks. 5) For organizations, enforcing strict device management policies including regular updates, device attestation, and restricting use of devices with outdated firmware. 6) Collaborating with mobile network operators to ensure baseband firmware updates are distributed securely and timely. 7) Conducting regular security audits and penetration testing focused on mobile device and baseband security. These steps go beyond generic advice by emphasizing firmware integrity and coordinated patch management across the device ecosystem.