Use-after-free privilege escalation in Android Runtime (ART)
CVE-2025-48543 is a use-after-free vulnerability in the Android Runtime (ART) component. The issue is described as a memory-lifecycle flaw in ART that can leave a dangling reference after an object is freed, enabling attacker-controlled reuse of freed memory. Supporting content indicates the bug has been used as a Chrome sandbox escape on Android, with exploitation reachable from a compromised Chrome renderer and resulting in code execution in the privileged system_server process. The vulnerability affects Android 13 through 16 and was addressed in the September 2025 Android Security Bulletin / associated Google Play system updates. Google reported indications of limited, targeted in-the-wild exploitation.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a proof-of-concept (POC) exploit for CVE-2025-48543, a critical use-after-free vulnerability in the Android Runtime (ART) component affecting Android versions 13 through 16. The repository consists of a single C++ source file (CVE202548543.cpp) implementing the exploit logic and a detailed README.md explaining the vulnerability, exploitation steps, and real-world considerations. The exploit works by creating and freeing large Java String objects via JNI to trigger a use-after-free condition in ART, then performing heap spraying to overwrite freed memory with controlled data. It leverages the Android Binder IPC mechanism to communicate with and inject code into the highly privileged system_server process. The included shellcode is a placeholder for arbitrary code execution in the system_server context, demonstrating the potential for full device compromise and privilege escalation. The exploit is local in nature, requiring execution on a vulnerable Android device (pre-September 2025 patch). The code is structured as a JNI native library, with the main entry point being the trigger_use_after_free function, registered via JNI_OnLoad. The endpoints identified include the targeted Java class (java/lang/String), the JNI registration class (com/example/CVE202548543Exploit), and the system_server process. The README provides comprehensive documentation, including affected versions, impact, mitigation, and technical details of the exploit steps.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
54 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Android vulnerability reported as exploited in targeted attacks; details not provided in the snippet.
A use-after-free vulnerability in Android Runtime, exploited as part of Predator spyware campaigns to gain initial access to Android devices.
A local privilege escalation vulnerability in Android Runtime that was actively exploited.
An unspecified vulnerability in Android Runtime.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.