CVE-2025-48543 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-09-04

Added to CISA KEV: 2025-09-04 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review Android device logs, check for unauthorized apps, verify system integrity on managed Android devices
Apply Android security updates immediately to affected devices (versions 13, 14, 15, 16)
Implement mobile device management (MDM) to ensure patch deployment across organizational Android devices
Monitor for suspicious app installations and unusual system behavior on Android devices
Priority: HIGH for mobile device security, but not internet infrastructure priority due to local attack vector

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-48543 is a critical security vulnerability affecting the Android operating system, specifically within the Android Runtime (ART) component ^[1] ^[4].

Overview and Impact

Vulnerability Type: It is a use-after-free (UAF) memory corruption vulnerability (CWE-416) ^[4] ^[7].
Impact: Successful exploitation allows for local privilege escalation, enabling a malicious application to bypass the Android sandbox—which is designed to isolate applications from each other and the system—and potentially target the `system_server` or other sensitive components ^[3] ^[4].

Exploitation and Threat Landscape

Active Exploitation: The vulnerability was identified as being under "limited, targeted exploitation" in the wild at the time of its disclosure in September 2025 ^[2] ^[8].
Attack Method: It is a local exploit, meaning it typically requires a malicious application to be present on the device to trigger the flaw ^[4].
Ransomware/Targeted Attacks: While specific threat actor attribution was not widely detailed in public reports, the nature of the exploitation was described as "targeted," suggesting it was likely used in sophisticated campaigns rather than broad, automated ransomware attacks ^[2].
PoC Availability: Publicly available proof-of-concept (PoC) code has been associated with this CVE on platforms like GitHub, which is common for such high-profile vulnerabilities ^[6].

Mitigation and Patch Status

Patch Status: Google addressed this vulnerability as part of the September 2025 Android Security Bulletin ^[1].
Affected Components: The vulnerability resides in the Android Runtime (ART), which is a Project Mainline component, meaning it can be updated via Google Play system updates independently of full OS firmware updates ^[1].
Recommendation: Users are strongly advised to ensure their devices are running the latest available security patch level to mitigate this and other known vulnerabilities ^[5].

Sources

Android Security Bulletin—September 2025 - Android Open Source Project
CVE-2025-38352 CVE-2025-48543 2025-09-01 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2025-09-01 patch level. Vulnerabilities are grouped under the component they affect. ... The following issues are i…
Google fixes actively exploited Android vulnerabilities (CVE-2025 ...
Google fixed 100+ Android vulnerabilities, including CVE-2025-48543 and CVE-2025-38352, which "may be under limited, targeted exploitation."…
CVE-2025-48543 Detail - NVD
Description. In multiple locations, there is a possible way to escape chrome sandbox to attack android system_server due to a use after free. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secu…
Two new privilege escalation vulnerabilities affecting the Android OS
Meanwhile, CVE-2025-48543 is a local privilege escalation vulnerability found in the Android Runtime (ART) component. It's a use-after-free flaw ... Meanwhile, CVE-2025-48543 is a local privilege escalation vulnerability found in the Android Runtime (ART) component. It's a use-after-free flaw, which…
PoC exploit for CVE-2025-48543 in C++ - GitHub
PoC exploit for CVE-2025-48543 in C++. Contribute to gamesarchive/CVE-2025-48543 development by creating an account on GitHub. ... PoC exploit for CVE-2025-48543 in C++. Contribute to gamesarchive/CVE-2025-48543 development by creating an account on GitHub.
CVE-2025-48543 - Critical Sandbox Escape in Chrome on ... - cve.news
CVE-2025-48543 is a highly critical bug that shows how complex modern exploits have become. By exploiting a use-after-free in Chrome's IPC mechanism, an attacker could break the browser’s security boundary and target your entire device. Always keep your software updated, stay away from shady website…
Android Runtime Use After Free (CVE-2025-48543) - ZeroPath
CVE-2025-48543 is a use after free vulnerability (CWE-416) in the Android Runtime (ART) component. ART is the managed runtime environment that ...
Android Multiple Vulnerabilities
Note: CVE-2025-38352 and CVE-2025-48543 are being scattered exploited. These vulnerability can lead to local escalation of privilege with no ...