CVE-2025-48543

HIGH KEV

Android - Use-After-Free in Chrome Sandbox Escape

Title source: llm

Exploitation Summary

CVE-2025-48543 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 4, 2025. EIP tracks 2 public exploits from researchers including gamesarchive, adminlove520.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-48543, targeting a use-after-free (UAF) vulnerability in the Android Binder component. The exploit leverages a dangling BinderProxy object to hijack control flow, execute a ROP chain, and achieve privilege escalation to SYSTEM on the host kernel.

Description

In multiple locations, there is a possible way to escape chrome sandbox to attack android system_server due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (2)

nomisec WORKING POC 48 stars

by gamesarchive · local

https://github.com/gamesarchive/CVE-2025-48543

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-48543, targeting a use-after-free (UAF) vulnerability in the Android Binder component. The exploit leverages a dangling BinderProxy object to hijack control flow, execute a ROP chain, and achieve privilege escalation to SYSTEM on the host kernel.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Android Binder component (likely affecting multiple Android versions)

No auth needed

Prerequisites: Android device with vulnerable Binder component · Ability to execute arbitrary code in an unprivileged context

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-48543

View Code ZIP pw:eip

This repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and functional code.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TOTOLINK LR350, TOTOLINK T6, Fortinet SSL VPN

No auth needed

Prerequisites: network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Product

https://android.googlesource.com/platform/art/+/444fc40dfb04d2ec5f74c443ed3a4dd45d3131f2

Vendor Advisory

https://source.android.com/security/bulletin/2025-09-01

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48543

Scores

CVSS v3 8.8

EPSS 0.0031

EPSS Percentile 54.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-09-04

VulnCheck KEV 2025-09-01

ENISA EUVD EUVD-2025-26791

CWE

CWE-416

Status published

Products (4)

google/android 13.0

google/android 14.0

google/android 15.0

google/android 16.0

Published Sep 04, 2025

KEV Added Sep 04, 2025

Tracked Since Feb 18, 2026