Cyber Posture

CVE-2025-36920

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36920 is a high-severity Improper Input Validation (CWE-20) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly enforces input validation at system interfaces, addressing the improper input validation in hyp_alloc that enables the out-of-bounds write.

SI-2 Flaw Remediation good match
preventrecover

Mandates timely identification, reporting, and correction of the specific flaw in the Linux kernel's KVM hypervisor on ARM64.

SI-16 Memory Protection partial match
prevent

Implements memory safeguards to protect against unauthorized code execution resulting from the out-of-bounds write vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Direct local privilege escalation via out-of-bounds write in KVM hypervisor (improper input validation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2025-36920 is a vulnerability in the hyp_alloc function of arch/arm64/kvm/hyp/nvhe/alloc.c within the Linux kernel's KVM hypervisor on ARM64 architecture. It arises from improper input validation, enabling a possible out-of-bounds write. The issue affects Android Pixel devices, as referenced in their security bulletins.

A local attacker can exploit this vulnerability to achieve escalation of privilege without requiring additional execution privileges or user interaction. With attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N), it carries a CVSS v3.1 base score of 8.4, yielding high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The associated weakness categories are CWE-20 (Improper Input Validation) and CWE-787 (Out-of-bounds Write).

Android Pixel security bulletins for 2026-03-01 provide details on patches and mitigation, available at https://source.android.com/security/bulletin/pixel/2026-03-01 and https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01.

Details

CWE(s)
CWE-20CWE-787

Affected Products

google
android
all versions

CVEs Like This One

CVE-2026-0010Same product: Google Android
CVE-2024-53838Same product: Google Android
CVE-2026-0123Same product: Google Android
CVE-2024-53837Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49745Same product: Google Android
CVE-2026-0117Same product: Google Android
CVE-2026-0037Same product: Google Android
CVE-2025-48647Same product: Google Android
CVE-2025-32313Same product: Google Android

References