CVE-2024-0671 Overview
CVE-2024-0671 is a Use After Free vulnerability [CWE-416] affecting multiple generations of Arm Mali GPU kernel drivers. A local non-privileged user can perform improper GPU memory processing operations to access already-freed memory. The flaw spans the Midgard, Bifrost, Valhall, and Arm 5th Gen GPU Architecture kernel drivers, which are widely deployed on Android devices and embedded Linux systems using Arm Mali graphics hardware.
The issue affects Midgard GPU Kernel Driver from r19p0 through r32p0, Bifrost GPU Kernel Driver from r7p0 through r48p0, Valhall GPU Kernel Driver from r19p0 through r48p0, and the Arm 5th Gen GPU Architecture Kernel Driver from r41p0 through r48p0.
Critical Impact
Local non-privileged attackers can read or manipulate freed GPU kernel memory, enabling integrity compromise and potential kernel-level corruption on Mali-based Android and Linux devices.
Affected Products
- Arm Midgard GPU Kernel Driver (r19p0 through r32p0)
- Arm Bifrost GPU Kernel Driver (r7p0 through r48p0)
- Arm Valhall GPU Kernel Driver (r19p0 through r48p0)
- Arm 5th Gen GPU Architecture Kernel Driver (r41p0 through r48p0)
Discovery Timeline
- 2024-04-19 - CVE-2024-0671 published to NVD
- 2025-03-27 - Last updated in NVD database
Technical Details for CVE-2024-0671
Vulnerability Analysis
The vulnerability is a use-after-free condition in the Arm Mali GPU kernel driver. The driver fails to correctly synchronize the lifetime of GPU memory objects with operations that reference them. When a local process issues a crafted sequence of GPU memory processing operations, the driver continues to use a memory region after it has been freed.
Exploitation of use-after-free conditions in GPU kernel drivers typically permits an attacker to reclaim the freed allocation with attacker-controlled data. Subsequent dereferences operate on this controlled content. The result is corruption of kernel-managed state, which an attacker can leverage to influence privileged operations performed by the driver.
Mali GPU drivers are a known target on Android because they expose a rich attack surface to unprivileged applications. Similar Mali driver flaws have been chained with userspace exploits to escape application sandboxes.
Root Cause
The root cause is improper handling of GPU memory object lifecycles. The driver releases a memory allocation while references to it remain reachable from concurrent GPU memory processing paths. Operations dispatched along those paths dereference the stale reference, producing the use-after-free condition tracked as [CWE-416].
Attack Vector
The attack vector is local. An unprivileged process on the affected device, including a sandboxed application on Android, invokes Mali driver interfaces such as ioctl calls on /dev/mali0. The attacker triggers a sequence of allocations, frees, and GPU memory operations to reach the vulnerable code path and reuse the freed object.
No user interaction is required, and no authentication beyond local code execution is needed. Public proof-of-concept code is not currently available for CVE-2024-0671.
Detailed technical information is published in the ARM Security Center Advisory for Mali GPU Driver Vulnerabilities.
Detection Methods for CVE-2024-0671
Indicators of Compromise
- Unprivileged processes issuing high volumes of ioctl calls against /dev/mali0 with rapid allocate-free patterns on GPU memory objects.
- Unexpected kernel oops, panics, or SLUB/SLAB corruption messages referencing the Mali driver (mali_kbase).
- Crashes in graphics-related kernel call stacks initiated from non-graphics applications.
Detection Strategies
- Inventory installed Mali GPU driver versions across Android and embedded Linux fleets and compare against the affected version ranges.
- Monitor kernel logs (dmesg, logcat -b kernel) for Mali driver faults that may indicate exploitation attempts or instability from triggered use-after-free conditions.
- Correlate process telemetry with kernel-side crash signatures to identify unprivileged binaries interacting heavily with the GPU driver.
Monitoring Recommendations
- Enable kernel address sanitizer (KASAN) or equivalent diagnostics on test devices to surface use-after-free conditions during validation.
- Track Android security bulletins and device vendor updates that integrate Arm's fixed driver releases.
- Alert on installation of unsigned or sideloaded applications that target devices with vulnerable Mali driver versions.
How to Mitigate CVE-2024-0671
Immediate Actions Required
- Identify affected devices running Midgard r19p0–r32p0, Bifrost r7p0–r48p0, Valhall r19p0–r48p0, or 5th Gen GPU Architecture r41p0–r48p0 kernel drivers.
- Apply the latest device vendor firmware or OS update that incorporates the fixed Arm Mali GPU driver.
- Restrict installation of untrusted applications on affected mobile and embedded devices until patches are deployed.
Patch Information
Arm has published fixed driver releases. Refer to the ARM Security Center Advisory for the specific revisions that resolve CVE-2024-0671. On Android devices, the fix is delivered through SoC vendor and OEM security patch levels rather than directly from Arm.
Workarounds
- No vendor-supplied workaround exists; the supported remediation is to update to a fixed driver revision.
- Where patching is delayed, limit local code execution by enforcing application allowlisting and disabling sideloading on managed devices.
- For embedded Linux systems, restrict access to /dev/mali0 to trusted user contexts using device permissions and SELinux or AppArmor policies.
# Verify Mali kernel driver version on a Linux/Android device
cat /sys/module/mali_kbase/version 2>/dev/null
dmesg | grep -i mali | head -n 20
# Restrict device node access (example for embedded Linux)
chmod 0660 /dev/mali0
chown root:graphics /dev/mali0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
