CVE-2025-0072 Overview
CVE-2025-0072 is a use-after-free vulnerability [CWE-416] in the Arm Valhall GPU Kernel Driver and the Arm 5th Gen GPU Architecture Kernel Driver. A local non-privileged user process can perform improper GPU memory processing operations to access already freed memory. Successful exploitation allows attackers to compromise confidentiality, integrity, and availability of the affected system. The flaw affects Valhall GPU Kernel Driver versions r29p0 through r49p3 and r50p0 through r53p0, and 5th Gen GPU Architecture Kernel Driver versions r41p0 through r49p3 and r50p0 through r53p0. Arm published the advisory in its developer documentation portal.
Critical Impact
Local attackers with low privileges can leverage freed GPU memory to escalate privileges, leak sensitive data, or destabilize the kernel on Android devices and other systems using Arm Mali GPUs.
Affected Products
- Arm Valhall GPU Kernel Driver versions r29p0 through r49p3
- Arm Valhall GPU Kernel Driver versions r50p0 through r53p0
- Arm 5th Gen GPU Architecture Kernel Driver versions r41p0 through r49p3 and r50p0 through r53p0
Discovery Timeline
- 2025-05-02 - CVE-2025-0072 published to NVD
- 2025-05-12 - Last updated in NVD database
Technical Details for CVE-2025-0072
Vulnerability Analysis
The vulnerability resides in the kernel-mode driver that mediates GPU memory operations between userland processes and the Mali GPU hardware. A non-privileged user process can invoke a sequence of GPU memory processing operations that leave a dangling reference to a memory object after that object has been freed. Subsequent operations on the dangling reference read or write memory that the kernel allocator has since recycled. Because the driver runs at kernel privilege, the attacker gains a primitive for tampering with kernel data structures.
GPU drivers are an attractive target on Android, where unprivileged applications routinely interact with /dev/mali0 to submit work. Exploitation of similar Mali driver use-after-free issues has historically produced reliable local privilege escalation against Pixel and Samsung devices.
Root Cause
The defect is a use-after-free [CWE-416] in object lifetime management inside the GPU memory processing path. The driver releases a memory object while another code path still holds a reference. Operations performed through the stale reference allow access to the freed allocation, which may have been reused for unrelated kernel data.
Attack Vector
The attack requires local access and low privileges, with no user interaction. An attacker delivers a malicious application or shell payload to the device. The application issues crafted ioctl calls to the Mali kernel driver to trigger the vulnerable allocation, free, and reuse sequence. The resulting kernel memory corruption can be shaped into arbitrary kernel read/write primitives.
No public proof-of-concept exploit code has been published for CVE-2025-0072 at the time of writing. Refer to the ARM Developer Documentation for the authoritative description of the affected code paths.
Detection Methods for CVE-2025-0072
Indicators of Compromise
- Unexpected process crashes, kernel oopses, or GPU driver panics referencing the Mali kernel module in dmesg or logcat.
- Userland processes that repeatedly open /dev/mali0 and submit unusual KBASE_IOCTL_* sequences inconsistent with normal graphics workloads.
- Newly installed or sideloaded applications requesting GPU access while exhibiting privilege escalation behavior.
Detection Strategies
- Inventory affected mobile and embedded fleets to identify devices running Valhall or 5th Gen Mali kernel driver versions in the vulnerable ranges.
- Monitor kernel logs for repeated faults inside Mali driver symbols, which can indicate failed exploitation attempts.
- Use Android Enterprise or MDM telemetry to flag devices that have not received the vendor security patch level addressing this CVE.
Monitoring Recommendations
- Forward mobile EDR, MDM compliance state, and kernel crash telemetry to a centralized analytics platform for correlation with threat intelligence.
- Track installation of unsigned or sideloaded APKs on managed devices and review applications that request low-level GPU interaction.
- Alert on devices whose patch level falls behind the vendor advisory referenced in the ARM developer documentation.
How to Mitigate CVE-2025-0072
Immediate Actions Required
- Apply the Arm Mali GPU kernel driver update provided by the device OEM or Android security patch level that addresses CVE-2025-0072.
- Restrict installation of untrusted applications and enforce application allowlisting through MDM on managed mobile fleets.
- Audit privileged workloads running on devices with affected Mali drivers and isolate high-value assets until patched.
Patch Information
Arm has documented the fix and affected version ranges in its ARM Developer Documentation. Downstream vendors, including Google for Pixel and Samsung for Galaxy devices, integrate the corrected driver into monthly Android security bulletins. Devices must receive the OEM firmware update because the Mali kernel driver ships as part of the vendor partition, not via Google Play system updates.
Workarounds
- No vendor-supplied workaround eliminates the vulnerability without applying the driver update; reduce exposure by limiting which users can install applications.
- Disable or restrict access to GPU compute features for untrusted workloads where feasible at the OS or container policy layer.
- For enterprise mobile deployments, enforce minimum security patch level policies that block enrollment of devices behind on Mali driver patches.
# Verify Android security patch level on a managed device
adb shell getprop ro.build.version.security_patch
# Check Mali kernel driver version (where exposed)
adb shell cat /sys/module/mali_kbase/version 2>/dev/null || \
adb shell dmesg | grep -i mali
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
