CVE-2025-48543

What is Android Runtime (ART)?

Android Runtime (ART) is the managed runtime environment that executes Android application code. Apps written in Java or Kotlin are compiled to DEX (Dalvik Executable) bytecode, which ART compiles ahead-of-time (AOT) to native machine code. ART also manages memory, garbage collection, and sandboxing for Android apps — including providing isolation between apps and the system.

The Chrome browser on Android runs in a multi-process architecture with a sandboxed renderer process. When a WebKit/Blink vulnerability allows code execution in the renderer, a second vulnerability (sandbox escape) is needed to break out of the Chrome sandbox and reach the broader Android system. ART vulnerabilities that are reachable from within the sandbox serve this sandbox escape role.

Overview

CVE-2025-48543 is a use-after-free (CWE-416) in Android Runtime that allows code running inside the Chrome sandbox to escape the sandbox and escalate privileges locally. The vulnerability causes memory corruption in structures used by system_server, the central Android process that coordinates system services. When paired with CVE-2025-38352 (Linux kernel TOCTOU for kernel-level LPE), the two CVEs form a complete exploit chain from Chrome renderer code execution to full device compromise. Both were added to the CISA KEV catalog simultaneously on September 4, 2025.

Affected Versions

Technical Details

The use-after-free (CWE-416) occurs in the Android Runtime. Memory allocated for an ART runtime object is freed while a reference to it is retained in another data structure accessible from within the Chrome sandbox renderer process. By triggering and controlling the use-after-free, code running in the sandboxed Chrome renderer can corrupt memory in the ART/system_server space outside the sandbox boundary.

The Changed scope (S:C in CVSS) reflects the sandbox-crossing nature of the exploit: code executing inside the restricted Chrome sandbox (one security domain) exploits ART to gain access to system_server and the broader Android OS (a different, more privileged security domain).

Typical exploit chain context:

1. WebKit/Blink vulnerability → code execution inside Chrome renderer sandbox
2. CVE-2025-48543 → escape Chrome sandbox, corrupt system_server state → app-level privilege escalation
3. CVE-2025-38352 (Linux kernel TOCTOU) → escalate to kernel/root level

Discovery

Reporter attribution not publicly disclosed. Google's description of "limited, targeted exploitation" is consistent with spyware toolkit attribution.

Exploitation Context

Google marked CVE-2025-48543 as "possibly under limited, targeted exploitation" in the September 2025 Android Security Bulletin. CISA added both CVE-2025-48543 and CVE-2025-38352 to the KEV catalog on the same day (September 4, 2025), strongly suggesting both were identified as part of the same exploitation chain in the same campaign. This pattern is consistent with state-sponsored or commercial spyware operations.

Remediation

1. Apply Android September 2025 security patches (patch level 2025-09-01 or later) on all Android 13–16 devices.
2. Apply CVE-2025-38352 simultaneously — the kernel LPE and this ART sandbox escape are companion exploits in the same chain; both must be patched to prevent full device compromise.
3. Prioritize Pixel and enterprise-managed Android devices for patch deployment; Samsung, OnePlus, and other OEM devices may ship patches with a delay.
4. Enable Google Play Protect and keep it updated — this provides some detection of known spyware payloads.
5. Apply Chrome/browser updates promptly — the initial code execution step in the chain typically comes from a browser vulnerability, not ART itself.