CVE-2024-0671 Overview
CVE-2024-0671 is a Use After Free vulnerability affecting multiple Arm GPU kernel drivers, including the Midgard, Bifrost, Valhall, and 5th Gen GPU Architecture Kernel Drivers. This memory corruption flaw allows a local non-privileged user to perform improper GPU memory processing operations, potentially gaining access to already freed memory regions.
The vulnerability stems from improper memory management in the GPU kernel drivers, where memory can be accessed after it has been freed. This type of vulnerability is particularly concerning in GPU drivers as they operate with elevated privileges and handle sensitive memory operations.
Critical Impact
Local attackers can exploit improper GPU memory handling to access freed memory, potentially leading to information disclosure or integrity compromise on affected devices.
Affected Products
- Arm Midgard GPU Kernel Driver (versions r19p0 through r32p0)
- Arm Bifrost GPU Kernel Driver (versions r7p0 through r48p0)
- Arm Valhall GPU Kernel Driver (versions r19p0 through r48p0)
- Arm 5th Gen GPU Architecture Kernel Driver (versions r41p0 through r48p0)
Discovery Timeline
- April 19, 2024 - CVE-2024-0671 published to NVD
- March 27, 2025 - Last updated in NVD database
Technical Details for CVE-2024-0671
Vulnerability Analysis
This Use After Free (CWE-416) vulnerability exists in the memory management subsystem of Arm's Mali GPU kernel drivers. The flaw allows a local, non-privileged user to manipulate GPU memory processing operations in a way that grants access to memory that has already been deallocated.
Use After Free vulnerabilities occur when a program continues to use a pointer after the memory it references has been freed. In the context of GPU kernel drivers, this is particularly dangerous because GPU drivers handle complex memory mapping operations between user space and kernel space, and between CPU and GPU address spaces.
The vulnerability requires local access to exploit, meaning an attacker must already have some level of access to the target system. However, the attack does not require any privileges beyond basic user access, and no user interaction is needed.
Root Cause
The root cause lies in improper GPU memory lifecycle management within the affected kernel drivers. When GPU memory resources are freed, dangling references may persist, allowing subsequent memory operations to access the deallocated regions. This typically occurs due to:
- Insufficient synchronization between memory allocation and deallocation paths
- Missing or improper invalidation of memory references after deallocation
- Race conditions in GPU memory management where freed memory can still be referenced through stale pointers
The vulnerability affects a wide range of driver versions across multiple GPU architectures, suggesting a fundamental issue in shared memory management code used across the Mali GPU driver family.
Attack Vector
The attack vector is local, requiring the attacker to have existing access to the target system. The exploitation scenario involves:
- An attacker with local unprivileged access targets a device running a vulnerable Arm GPU kernel driver
- The attacker crafts specific GPU memory operations through the GPU driver interface
- These operations trigger the Use After Free condition, allowing access to previously freed memory
- The attacker can potentially read sensitive data from freed memory regions or manipulate memory contents to achieve integrity compromise
The vulnerability does not impact system availability, but successful exploitation could lead to information disclosure or data integrity issues. The local attack vector with no required privileges makes this accessible to any user who can execute code on the target system.
Detection Methods for CVE-2024-0671
Indicators of Compromise
- Unusual GPU memory allocation patterns or excessive GPU driver interactions from non-graphics applications
- Abnormal kernel log entries related to Mali GPU driver memory operations
- Processes making atypical ioctl calls to GPU device nodes (/dev/mali*)
- Memory access violations or kernel warnings in GPU driver code paths
Detection Strategies
- Monitor system calls and ioctl requests to Mali GPU device nodes for anomalous patterns
- Implement kernel auditing to track GPU memory allocation and deallocation operations
- Deploy runtime memory safety tools capable of detecting Use After Free conditions in kernel modules
- Use SentinelOne's behavioral AI to detect exploitation attempts targeting GPU driver interfaces
Monitoring Recommendations
- Enable detailed kernel logging for Mali GPU driver operations during security investigations
- Establish baselines for normal GPU driver interaction patterns on protected systems
- Monitor for privilege escalation attempts following GPU driver interactions
- Alert on processes accessing GPU resources that do not typically require GPU functionality
How to Mitigate CVE-2024-0671
Immediate Actions Required
- Identify all systems running affected Arm GPU kernel driver versions and prioritize them for patching
- Update to the latest patched GPU kernel driver version provided by Arm or your device vendor
- Restrict local access to systems running vulnerable drivers where possible
- Apply principle of least privilege to limit the number of users who can interact with GPU resources
Patch Information
Arm has released security updates addressing this vulnerability. Administrators should consult the Arm Security Center Advisory for detailed patch information and update to driver versions beyond:
- Midgard GPU Kernel Driver: Update beyond r32p0
- Bifrost GPU Kernel Driver: Update beyond r48p0
- Valhall GPU Kernel Driver: Update beyond r48p0
- Arm 5th Gen GPU Architecture Kernel Driver: Update beyond r48p0
Device manufacturers and OEMs should incorporate these updated drivers into their firmware updates. End users should check with their device vendor for availability of security patches.
Workarounds
- Limit local user access to systems with vulnerable GPU drivers to reduce the attack surface
- Where feasible, restrict access to GPU device nodes (/dev/mali*) to only applications that require GPU functionality
- Implement mandatory access control policies (SELinux, AppArmor) to confine applications that interact with GPU drivers
- Monitor and audit GPU driver interactions using security monitoring tools until patches can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
