CVE-2025-36923 is a vulnerability identified in the Android kernel, specifically within the NrmmDecoder::DecodeSORTransparentContext function located in the cn_NrmmDecoder.cpp source file. The root cause is a heap buffer overflow leading to an out-of-bounds write condition (CWE-122). This flaw allows an attacker positioned proximally or adjacently on the network to escalate privileges on the device without requiring prior elevated execution privileges or any user interaction, making it particularly dangerous. The vulnerability is triggered by malformed input that causes the decoder to write beyond allocated heap memory, potentially corrupting kernel memory structures. Successful exploitation could allow an attacker to gain kernel-level privileges, thereby compromising the device's confidentiality, integrity, and availability. The CVSS v3.1 base score is 8.0, reflecting high severity with attack vector as adjacent network (AV:A), low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No patches have been linked yet, and no exploits are known in the wild, but the vulnerability's characteristics suggest it could be weaponized. Given the Android kernel's widespread deployment across mobile devices, this vulnerability poses a significant risk to users and organizations relying on Android devices.

For European organizations, the impact of CVE-2025-36923 could be severe. Many enterprises rely on Android devices for communication, remote access, and mobile workflows. An attacker exploiting this vulnerability could gain kernel-level privileges, enabling them to bypass security controls, access sensitive corporate data, install persistent malware, or disrupt device operations. This could lead to data breaches, intellectual property theft, and operational downtime. The lack of required user interaction increases the risk of automated or stealthy exploitation, especially in environments where devices connect to shared or untrusted networks. Additionally, the vulnerability could be leveraged in targeted attacks against high-value individuals or organizations, including government agencies, financial institutions, and critical infrastructure operators within Europe. The potential for lateral movement within corporate networks via compromised devices further amplifies the threat.

Organizations should prioritize monitoring vendor announcements and apply official patches from Google as soon as they become available. Until patches are released, network segmentation should be enforced to limit device exposure to potentially malicious adjacent network actors. Employing host-based intrusion detection systems (HIDS) and endpoint detection and response (EDR) solutions capable of monitoring kernel-level anomalies can help detect exploitation attempts. Restricting unnecessary network protocols and services on Android devices reduces the attack surface. Enterprises should also enforce strict device management policies, including disabling or limiting device features that are not essential and ensuring devices run the latest security updates. User education about connecting only to trusted networks and avoiding suspicious proximity-based connections can further reduce risk. Finally, organizations should consider implementing network access controls (NAC) to prevent compromised devices from accessing sensitive resources.