CVE-2025-38352 & CVE-2025-48543

Lookout Coverage and Recommendation for Admins

Given that both CVEs have been identified by Google as being under "limited, targeted exploitation," immediate action is crucial. The most critical step is to ensure that all Android devices in your fleet are updated to the latest available security patch level. Both CVE-2025-38352 and CVE-2025-48543 have been addressed as of the 2025-09-05 Android security patch level. Admins should enforce these updates as soon as they are available. To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device.
Enforce Mobile Security Policies:
- Prohibit Sideloading: Disallow the installation of applications from unknown sources. This helps prevent a malicious app from being the initial point of entry for an attacker.
- Disable Developer Options: Ensure that "Developer options" are disabled on all corporate devices, as this can expose the device to greater risk.

‍

Overview

Google recently disclosed two new privilege escalation vulnerabilities affecting the Android OS. The first, CVE-2025-38352, is a local privilege escalation flaw in the Linux kernel's POSIX CPU timers subsystem. This vulnerability allows a malicious app or a low-privilege attacker to exploit a race condition by manipulating the timing of process exits and timer operations. This manipulation can destabilize the kernel, allowing the attacker to gain elevated privileges and break out of the app's sandbox to achieve full control of the device.

Meanwhile, CVE-2025-48543 is a local privilege escalation vulnerability found in the Android Runtime (ART) component. It's a use-after-free flaw, which is a type of memory corruption bug. This vulnerability allows a malicious application to bypass the Android sandbox, which is designed to isolate apps from each other and the system. By exploiting this flaw, an attacker can escalate their privileges to those of the highly-privileged system process. This level of access could be used to disable security controls, steal sensitive data, or install persistent malware without the user knowing.

United States government organizations are required to have all vulnerable devices patched by September 25, 2025. While CISA’s requirement is only for US government organizations, their guidance should be a source of information for enterprise organizations, as well.

Lookout Analysis

The POSIX CPU timers subsystem in Android lets developers measure and manage the amount of time a process or a specific thread uses on the CPU. This is a standard feature on many operating systems, and Android implements it to help developers monitor and optimize their apps' performance and resource usage. The Android Runtime, or ART, is the managed runtime environment used by the Android operating system. It's the engine that runs your app's code - much like a translator and executor for an app's code.

Vulnerabilities in critical components of mobile apps like these can have an outsized impact on mobile fleets. It’s particularly concerning when there are known exploits in the wild, which could result in the attacker taking over the device or quietly installing malware that can steal sensitive data or spy on an individual.