Skip to main content
CVE Vulnerability Database

CVE-2025-3212: Arm 5th Gen GPU Driver Use-After-Free Flaw

CVE-2025-3212 is a use-after-free vulnerability in Arm 5th Gen GPU Architecture Kernel Driver that allows local attackers to access freed memory. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2025-3212 Overview

CVE-2025-3212 is a use-after-free vulnerability [CWE-416] affecting Arm Ltd Bifrost, Valhall, and Arm 5th Gen GPU Architecture Kernel Drivers. A local non-privileged user process can perform valid GPU memory processing operations to gain access to already freed memory. The flaw allows an unprivileged user-space process to reach kernel memory that has been released, creating a window for controlled reuse of that memory region.

The issue affects Bifrost GPU Kernel Driver from r41p0 through r49p4 and from r50p0 through r51p0, Valhall GPU Kernel Driver from r41p0 through r49p4 and from r50p0 through r54p0, and Arm 5th Gen GPU Architecture Kernel Driver from r41p0 through r49p4 and from r50p0 through r54p0.

Critical Impact

A local non-privileged process can trigger reuse of freed GPU kernel memory, impacting availability and potentially enabling further kernel-level compromise on affected Arm Mali GPU platforms.

Affected Products

  • Arm Bifrost GPU Kernel Driver (r41p0 through r49p4, r50p0 through r51p0)
  • Arm Valhall GPU Kernel Driver (r41p0 through r49p4, r50p0 through r54p0)
  • Arm 5th Gen GPU Architecture Kernel Driver (r41p0 through r49p4, r50p0 through r54p0)

Discovery Timeline

  • 2025-09-08 - CVE-2025-3212 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-3212

Vulnerability Analysis

The vulnerability resides in the Arm Mali GPU kernel driver family shared across Bifrost, Valhall, and 5th Gen GPU architectures. The driver exposes GPU memory processing operations to user space. Under specific sequences of valid GPU memory operations, the driver retains a reference to a kernel object after that object has been freed. Subsequent operations dereference the stale pointer, resulting in a use-after-free condition [CWE-416].

Because the affected code path is reachable from an unprivileged process, an attacker does not need elevated permissions or user interaction to trigger the flaw. The impact profile primarily affects availability, with the GPU driver or kernel state becoming corrupted after the freed memory is accessed. Successful reuse of a freed slab object can also serve as a primitive for further kernel exploitation in combination with other issues.

Root Cause

The root cause is improper lifetime management of GPU memory objects within the kernel driver. The driver fails to invalidate or refcount handles to memory regions that user-issued GPU processing operations can release, leaving dangling references that later operations dereference.

Attack Vector

Exploitation requires a local process with access to the Mali GPU device node, typically available to standard graphics-enabled user sessions on Android and Linux systems using Arm Mali GPUs. The attacker issues a specific sequence of valid GPU memory processing ioctls that free a backing object while a stale reference remains. A follow-up operation then accesses the freed memory. Refer to the Arm Developer Documentation for details on affected code paths.

Detection Methods for CVE-2025-3212

Indicators of Compromise

  • Kernel crashes, oops entries, or panics referencing the Mali GPU driver (mali_kbase) in dmesg or logcat output.
  • KASAN or SLUB debug reports flagging use-after-free access inside GPU driver call paths.
  • Unexpected GPU driver reinitialization or graphics stack restarts on affected devices.

Detection Strategies

  • Inventory endpoints and mobile devices to identify Arm Mali GPU driver versions in the vulnerable ranges.
  • Correlate repeated GPU driver faults with unprivileged process activity to surface exploitation attempts.
  • Review installed kernel and vendor GPU driver patch levels against Arm's advisory to identify unpatched systems.

Monitoring Recommendations

  • Monitor kernel logs on Linux and Android devices for recurring Mali GPU faults tied to specific user processes.
  • Track process behavior that opens /dev/mali0 and issues high-frequency memory allocation and free ioctls.
  • Alert on unexpected privilege changes or new kernel modules loaded shortly after GPU driver instability.

How to Mitigate CVE-2025-3212

Immediate Actions Required

  • Identify all systems running Arm Bifrost, Valhall, or 5th Gen GPU Architecture Kernel Drivers in the affected version ranges.
  • Apply the vendor-supplied driver updates from device OEMs or the Android security bulletin that carry Arm's fix.
  • Restrict local access on multi-user systems where patching is delayed, and remove untrusted user accounts.

Patch Information

Arm has published guidance in its ARM Developer Documentation. Upgrade to a fixed driver revision beyond the affected ranges: past r49p4 in the r41p0r49p4 line, and past r51p0 for Bifrost or r54p0 for Valhall and 5th Gen GPU Architecture in the r50p0 series. Device OEMs distribute these updates through kernel and vendor image updates.

Workarounds

  • Limit local logon and shell access on affected systems until fixed drivers are deployed.
  • Where feasible, restrict permissions on the Mali device node so only trusted graphics services can access it.
  • Prevent installation of untrusted applications on Android devices that rely on affected Mali GPU driver builds.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.