Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Local Privilege Escalation in Android Kernel pKVM init_pkvm_hyp_vcpu

IdentifiersCVE-2025-48623CWE-787· Out-of-bounds Write

CVE-2025-48623 is a critical elevation-of-privilege vulnerability in the Android kernel's protected KVM (pKVM) subsystem. According to the provided content, the flaw is located in the function init_pkvm_hyp_vcpu in pkvm.c, where improper input validation can result in an out-of-bounds write. This memory corruption condition may allow a local attacker to corrupt adjacent memory in the pKVM context and break intended isolation guarantees. The issue is described as requiring no additional execution privileges and no user interaction for exploitation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to local escalation of privilege on affected Android devices. Because the flaw is in the pKVM subsystem, exploitation may undermine virtualization-based isolation boundaries that pKVM is intended to enforce, potentially enabling compromise of sensitive kernel or hypervisor-adjacent execution contexts. The bulletin classifies this issue as critical.

Mitigation

If you can’t patch tonight, do this now.

Primary mitigation is prompt installation of the December 2025 Android security update, preferably to patch level 2025-12-05 or later. Where immediate patching is not possible, reduce exposure by limiting execution of untrusted local code and enforcing strong application control, since this is a local privilege-escalation issue. Google Play Protect may provide some general risk reduction against malicious apps, but it is not a substitute for applying the kernel patch.

Remediation

Patch, then assume compromise.

Apply the Android December 2025 security updates that include the fix for CVE-2025-48623. The provided content indicates that kernel and related vendor fixes are covered by the 2025-12-05 security patch level, and devices at 2025-12-05 or later are considered protected against the issues listed in the bulletin. OEMs should integrate the corresponding kernel fix for the pKVM subsystem into supported Android 13-16 device builds.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GoogleAndroidoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
socradar blogNews
Dec 2, 2025
December 2025 Android Security Bulletin: Two Zero-Day Flaws Exploited

Critical local elevation-of-privilege vulnerability in the kernel pKVM subcomponent (as described), addressed in the 2025-12-05 patch level via upstream kernel patches.

Read more
security online infoNews
Dec 2, 2025
Android Emergency: Critical DoS Flaw and 2 Exploited Zero-Days in Framework Require Immediate Patch

A critical elevation-of-privilege vulnerability in the Android Kernel's Protected KVM (PKVM) subsystem.

Read more
cyberthroneNews
Dec 2, 2025
Android Patch Update December 2025

Critical kernel-level elevation-of-privilege vulnerability in Android affecting protected KVM (pKVM), weakening isolation/virtualization guarantees if exploited.

Read more
android security bulletinNews
Dec 1, 2025
Android Security Bulletin—December 2025

A critical local escalation of privilege vulnerability in the pKVM subcomponent of the Android kernel.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-48623
NVD
nvd.nist.gov/vuln/detail/CVE-2025-48623
MITRE CWE · CWE-787
Out-of-bounds Write
Patch
android.googlesource.com/kernel/common/+/3b6fab0ff24f7108c71a4d9c12567455cb2a5a81
Patch
android.googlesource.com/kernel/common/+/e76cff4952af4ac4652dc74ffbd134ff57c47895
Vendor Advisory
source.android.com/security/bulletin/2025-12-01