CVE-2025-48539 is a high-severity remote code execution (RCE) vulnerability affecting Google Android versions 15 and 16. The flaw exists in the SendPacketToPeer function within the acl_arbiter.cc component, where a use-after-free condition leads to an out-of-bounds read. This memory corruption vulnerability allows an attacker to execute arbitrary code remotely without requiring additional execution privileges or user interaction. The attack vector is proximal or adjacent, meaning the attacker must be within Bluetooth or similar close-range communication distance to the target device. Exploitation does not require user interaction, increasing the risk of silent compromise. The vulnerability is classified under CWE-416 (Use After Free), a common and dangerous memory safety issue. The CVSS v3.1 base score is 8.0, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction needed. Although no public exploits are currently known, the vulnerability’s characteristics make it a significant threat to Android devices, especially those running the specified versions. The lack of available patches at the time of publication further elevates the urgency for mitigation and monitoring.

For European organizations, this vulnerability poses a substantial risk due to the widespread use of Android devices in corporate and personal environments. The ability to execute code remotely without user interaction means attackers could deploy malware, steal sensitive data, or disrupt device functionality silently. This could lead to data breaches, espionage, or operational disruptions, especially in sectors relying heavily on mobile communications such as finance, healthcare, and government. The proximal attack vector implies that attackers need physical closeness, which could be exploited in public or semi-public spaces like offices, conferences, or transportation hubs. Given the high confidentiality, integrity, and availability impacts, organizations could face regulatory penalties under GDPR if personal data is compromised. The vulnerability also threatens the security of Bring Your Own Device (BYOD) policies and mobile workforce operations common in Europe.

Organizations should prioritize updating affected Android devices to patched versions as soon as they become available from Google or device manufacturers. Until patches are released, network segmentation and limiting Bluetooth and other proximal communication interfaces can reduce exposure. Disabling Bluetooth or restricting its use in sensitive environments can mitigate attack opportunities. Endpoint detection and response (EDR) solutions should be tuned to monitor for anomalous Bluetooth activity or unexpected process behaviors. Security awareness training should inform users about risks of connecting to unknown devices nearby. Enterprises should enforce mobile device management (MDM) policies that restrict device configurations and enforce timely updates. Additionally, monitoring for unusual network traffic or device behavior indicative of exploitation attempts is recommended. Collaboration with device vendors to expedite patch deployment and vulnerability disclosure is critical.