CVE-2025-48543

ENISA EUVD: EUVD-2025-26791 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 4 articles Published: 2025-09-04

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

0.31%

probability

This CVE has a 0.31% probability of being exploited in the next 30 days.

0% Top 54.3th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.8

HIGH

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

In multiple locations, there is a possible way to escape chrome sandbox to attack android system_server due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Google

Android

16 15 14 13

google

android

Google

Android

Google

Android

Google

Android

Google

Android

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Patched

Sept. 1, 2025

Reported by

Clément Lecigne of Google's Threat Analysis Group

Root Cause Analysis

???

Exploits & PoC

gamesarchive/CVE-2025-48543

PoC exploit for CVE-2025-48543 in C++

52 2025-12-28

1 repo — triés par ⭐ Rechercher sur GitHub ↗

https://android.googlesource.com/platform/art/+/444fc40dfb04d2ec5f74c443ed3a4dd45d3131f2

https://source.android.com/security/bulletin/2025-09-01

Signal Intelligence

Confidenceⓘ

88%

EPSS 0.31%

CVSS v3.1 8.8

Mentions 4

Last Seen May 05, 2026

CNA Information

CNA Assigner

google_android

Analyst Note

CVE-2025-48543 is confirmed as a critical sandbox escape vulnerability affecting Android Chrome with CVSS 8.8 (HIGH severity). The vulnerability enables local privilege escalation through a use-after-free flaw without requiring user interaction, and has been documented in Google Project Zero and reported as actively exploited in the wild by TheHackerNews.