Cyber Resilience

CVE-2025-36920

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 3.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36920 is a high-severity Improper Input Validation (CWE-20) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-36920 is a vulnerability in the hyp_alloc function of arch/arm64/kvm/hyp/nvhe/alloc.c within the Linux kernel's KVM hypervisor on ARM64 architecture. It arises from improper input validation, enabling a possible out-of-bounds write. The issue affects Android Pixel devices, as referenced in their security bulletins.

A local attacker can exploit this vulnerability to achieve escalation of privilege without requiring additional execution privileges or user interaction. With attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N), it carries a CVSS v3.1 base score of 8.4, yielding high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The associated weakness categories are CWE-20 (Improper Input Validation) and CWE-787 (Out-of-bounds Write).

Android Pixel security bulletins for 2026-03-01 provide details on patches and mitigation, available at https://source.android.com/security/bulletin/pixel/2026-03-01 and https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01.

EU & UK References

Vulnerability details

In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via out-of-bounds write in KVM hypervisor (improper input validation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-49745Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2025-48647Same product: Google Android
CVE-2026-0034Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2026-0037Same product: Google Android
CVE-2026-0117Same product: Google Android
CVE-2026-0123Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces input validation at system interfaces, addressing the improper input validation in hyp_alloc that enables the out-of-bounds write.

preventrecover

Mandates timely identification, reporting, and correction of the specific flaw in the Linux kernel's KVM hypervisor on ARM64.

prevent

Implements memory safeguards to protect against unauthorized code execution resulting from the out-of-bounds write vulnerability.

References