CVE-2025-48623 — Out-of-bounds Write in Google Android

CWE-787 — Out-of-bounds Write CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 94.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Android

Timeline

PublishedDec 8

Description

In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶CVEListV5google/androidAndroid kernel

Patches

Patch: android.googlesource.com ↗Patch: android.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-c839-h8gq-w63p: In init_pkvm_hyp_vcpu of pkvm↗2025-12-08

▶

CVEList

CVE-2025-48623: In init_pkvm_hyp_vcpu of pkvm↗2025-12-08

▶

OSV

CVE-2025-48623: In init_pkvm_hyp_vcpu of pkvm↗2025-12-01

▶

📋Vendor Advisories

Android

CVE-2025-48623: pKVM↗2025-12-01

▶