High

Local privilege escalation in Android Kernel pKVM mem_protect.c

IdentifiersCVE-2025-48637CWE-190· Integer Overflow or Wraparound

CVE-2025-48637 is a critical elevation-of-privilege vulnerability in the Android kernel's protected KVM (pKVM) component. According to the provided bulletin text, multiple functions in mem_protect.c contain an integer overflow that can result in an out-of-bounds write. This memory corruption condition can be triggered locally and may allow an attacker to break intended memory-safety guarantees within the pKVM subsystem. Because pKVM is used to enforce isolation of sensitive code and data on Android devices, corruption in this area can undermine core security boundaries. The issue does not require user interaction and is described as exploitable without additional execution privileges.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to local escalation of privilege on affected Android devices. Given the vulnerability is in the kernel pKVM subsystem, exploitation may allow an attacker to gain elevated privileges beyond the originating local context and potentially compromise isolation guarantees relied upon for sensitive workloads. As characterized in the bulletin, this is a critical kernel EoP issue, so impact may include compromise of device security boundaries and broader control over the affected system.

Mitigation

If you can’t patch tonight, do this now.

The primary mitigation is prompt installation of the December 2025 Android security update, preferably to security patch level 2025-12-05 or later. Until patched, reduce exposure by limiting the ability to run untrusted local code or applications on affected devices, enforcing application control in managed environments, and prioritizing vendor firmware updates for supported Android 13-16 devices. On Google Mobile Services devices, Google Play Protect may provide some risk reduction against malicious apps, but it is not a substitute for patching this kernel flaw.

Remediation

Patch, then assume compromise.

Apply the Android December 2025 security updates that include the fix for CVE-2025-48637. The provided content indicates that full coverage for this kernel pKVM issue is included in the 2025-12-05 Android security patch level. Device OEMs and downstream integrators should incorporate the relevant kernel/AOSP fixes for the pKVM mem_protect.c integer-overflow and out-of-bounds-write condition and ship updated firmware/images to supported devices.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleAndroidoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

cyberthroneNews

Dec 2, 2025

Android Patch Update December 2025

Critical kernel-level elevation-of-privilege vulnerability in Android affecting protected KVM (pKVM), weakening isolation/virtualization guarantees if exploited.

socradar blogNews

Dec 2, 2025

December 2025 Android Security Bulletin: Two Zero-Day Flaws Exploited

Critical local elevation-of-privilege vulnerability in the kernel pKVM subcomponent (as described), addressed in the 2025-12-05 patch level via upstream kernel patches.

security online infoNews

Dec 2, 2025

Android Emergency: Critical DoS Flaw and 2 Exploited Zero-Days in Framework Require Immediate Patch

A critical elevation-of-privilege vulnerability in the Android Kernel's Protected KVM (PKVM) subsystem.

android security bulletinNews

Dec 1, 2025

Android Security Bulletin—December 2025

A critical local escalation of privilege vulnerability in the pKVM subcomponent of the Android kernel.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-48637

NVD

nvd.nist.gov/vuln/detail/CVE-2025-48637

MITRE CWE · CWE-190

Integer Overflow or Wraparound

Vendor Advisory

source.android.com/security/bulletin/2025-12-01

Product

android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d

Product

android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20