{"id":"ASB-A-443763663","details":"In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-443763663","CVE-2025-48637"],"modified":"2026-04-17T15:55:28.020024Z","published":"2025-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-12-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2025-12-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"severity":"Critical","fixes":["https://android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d","https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20"],"spl":"2025-12-05","types":["EoP"],"vanir_signatures":[{"signature_version":"v1","target":{"function":"guest_get_valid_pte","file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"signature_type":"Function","digest":{"length":456,"function_hash":"140393265081442329449425783156025100417"},"id":"ASB-A-443763663-033c1c84","source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","deprecated":false},{"signature_version":"v1","target":{"file":"arch/arm64/kvm/hyp/nvhe/mm.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["41357223220029763034318063926808516362","107835455719160484103181271729945352483","218413571962783688180621018947548030742","74348370173617154205662168520543802245","201140442960149304804951317674927593473","259806366497591605989767293194059553161","103082277535687432447449465277955605554","226064330952052570963410970162019658604","132156172233785212772556316055115398219","66531324142846094245872514907634784592","261756564615928259791383022051492410605","81034700948420729546186816053298405578"]},"id":"ASB-A-443763663-0761bdd7","source":"https://android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d","deprecated":false},{"signature_version":"v1","target":{"function":"__guest_check_page_state_range","file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"signature_type":"Function","digest":{"length":265,"function_hash":"224810733133245517766745445897791307863"},"id":"ASB-A-443763663-4770adc9","source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","deprecated":false},{"signature_version":"v1","target":{"function":"refill_hyp_pool","file":"arch/arm64/kvm/hyp/nvhe/mm.c"},"signature_type":"Function","digest":{"length":333,"function_hash":"22632907608192465059315258365873554221"},"id":"ASB-A-443763663-5265e5c7","source":"https://android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d","deprecated":false},{"signature_version":"v1","target":{"function":"kvm_iommu_refill","file":"arch/arm64/kvm/hyp/nvhe/iommu/iommu.c"},"signature_type":"Function","digest":{"length":752,"function_hash":"244019698325816914797832225193937936520"},"id":"ASB-A-443763663-875b647f","source":"https://android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d","deprecated":false},{"signature_version":"v1","target":{"function":"___host_check_page_state_range","file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"signature_type":"Function","digest":{"length":488,"function_hash":"170680755638094553506667093797892125235"},"id":"ASB-A-443763663-a907d5bb","source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","deprecated":false},{"signature_version":"v1","target":{"file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["270330813582972435842825277868865552248","41755106572300848336673352833570550237","154267648795344506484886981289337652728","235678429952762461034075733795936955721","268747802010080201098370348937141814481","233584329941717470082292767973561197320","61264962345220014820310662083950283111","96277611542100000118530570091945907898","15020113626905274813333059629451368897","306848634213538203798184025825774940070","65605068926131335295381250070305785100","242660080755050945565192417065352649796","299090722878015974131273378308896121852","238231049761437256322825198818663779035","235791909068065699509332621156496288269","33517853298061888229925141020800035291","83255801305818146573640562624568545059","14565447768208093161553499218307741283"]},"id":"ASB-A-443763663-b622da72","source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","deprecated":false},{"signature_version":"v1","target":{"function":"__host_check_page_state_range","file":"arch/arm64/kvm/hyp/nvhe/mem_protect.c"},"signature_type":"Function","digest":{"length":264,"function_hash":"273050602761954097886820638526786646067"},"id":"ASB-A-443763663-cb457ab9","source":"https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20","deprecated":false},{"signature_version":"v1","target":{"file":"arch/arm64/kvm/hyp/nvhe/iommu/iommu.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["124033088507589349670732817574953490421","17648690578236074004186557059124336225","294085542175290052671588349476042224443","58382261825225629705018483273875007645","209636862288731807488029004543803184246","49371074249655175498576943366775696927","171565137720322743846282709920180913675","136309658371822085600868842260731854085","127791330812687308711768621036162596715","283348369972456175722722962344730252998","158999761841958448264992801532107125858","63645214718270019533277524332522691069","75116364488990616591396406864052755001","80708934540432077762774300521107285875","143948780479865104749247134674316415425","261726992914275181324859905788763503784","256920358902043702254506928069741960045","15163798770322415369722042246792709587","220336129047662555093362149973128691965","149838372327518077599044546155711080596","183918493517346234005908227393155019049","74373140902469917200027924280507363508"]},"id":"ASB-A-443763663-e1c5f42a","source":"https://android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d","deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-443763663.json"}}],"schema_version":"1.7.5"}