CVE-2025-48539 is a critical use-after-free vulnerability identified in the SendPacketToPeer function of the acl_arbiter.cc component in Google Android versions 15 and 16. The flaw allows an attacker in close proximity (e.g., via Bluetooth or similar local wireless communication) to trigger an out-of-bounds read by exploiting the use-after-free condition. This memory corruption can lead to remote code execution without requiring any user interaction or elevated privileges, making it particularly dangerous. The vulnerability stems from improper management of memory objects in the Bluetooth ACL (Asynchronous Connection-Less) arbiter module, which handles packet transmission to peers. By sending crafted packets, an attacker can manipulate the memory state, causing the system to execute arbitrary code. The CVSS v3.1 base score of 8.0 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction. Although no public exploits have been reported yet, the vulnerability's characteristics suggest it could be weaponized quickly, especially given the ubiquity of Android devices. The vulnerability is tracked under CWE-416 (Use After Free), a common and dangerous memory corruption class. The absence of available patches at the time of reporting increases the urgency for mitigation.

The vulnerability allows attackers in physical proximity to execute arbitrary code on affected Android devices, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, installation of persistent malware, disruption of device operations, and lateral movement within networks. Given Android's dominant market share in mobile devices worldwide, the impact is extensive, affecting individual users, enterprises, and critical infrastructure relying on Android-based systems. The lack of required user interaction lowers the barrier for exploitation, increasing the risk of widespread attacks. Organizations could face data breaches, operational downtime, and reputational damage. Additionally, compromised devices could be leveraged as entry points for broader network intrusions or as part of botnets for further attacks.

Organizations and users should prioritize updating Android devices to patched versions once available from Google or device manufacturers. Until patches are released, disabling or restricting Bluetooth and other local wireless interfaces can reduce exposure, especially in untrusted environments. Network segmentation and monitoring for anomalous Bluetooth activity can help detect exploitation attempts. Employ endpoint detection and response (EDR) tools capable of identifying suspicious memory corruption behaviors. Security teams should review device management policies to enforce timely updates and consider deploying mobile threat defense solutions. Developers should audit related Bluetooth stack components for similar vulnerabilities and apply secure coding practices to prevent use-after-free conditions. Finally, educating users about the risks of connecting to unknown or untrusted devices can further reduce attack vectors.