CVE-2025-6349: Arm 5th Gen GPU Driver Use-After-Free Flaw

CVE-2025-6349 Overview

CVE-2025-6349 is a use-after-free vulnerability [CWE-416] in the Arm Valhall GPU Kernel Driver and the Arm 5th Gen GPU Architecture Kernel Driver. A local non-privileged user process can trigger improper GPU memory processing operations to access already-freed kernel memory. The flaw affects driver versions r53p0 through r54p1 for both driver families. Successful exploitation requires local access but no privileges or user interaction, which makes it relevant for mobile and embedded devices using Arm Mali GPUs.

Critical Impact

A local unprivileged process can read and modify freed GPU kernel memory, potentially leading to information disclosure or memory corruption on Android handsets and other Arm-based systems.

Affected Products

• Arm Valhall GPU Kernel Driver versions r53p0 through r54p1
• Arm 5th Gen GPU Architecture Kernel Driver versions r53p0 through r54p1
• Downstream Android and Linux devices integrating these Arm Mali GPU drivers

Discovery Timeline

• 2025-12-01 - CVE-2025-6349 published to the National Vulnerability Database
• 2025-12-02 - Entry last updated in NVD

Technical Details for CVE-2025-6349

Vulnerability Analysis

The vulnerability resides in the GPU memory management logic of the Arm Valhall and 5th Gen GPU Architecture kernel drivers. The driver releases a memory object while another execution path retains a reference to it. Subsequent GPU memory processing operations dereference that stale reference, reading or writing memory that has been freed or reallocated.

Because the attack vector is local and requires no privileges or user interaction, any process with access to the GPU device node — typically /dev/mali0 on Android — can initiate the operations needed to reach the vulnerable code path. The confidentiality and integrity impact is limited but real, while availability is unaffected.

Arm Mali GPU driver use-after-free issues have been weaponized in prior in-the-wild Android exploitation campaigns. Defenders should treat this class of bug as a credible sandbox-escape primitive even when the standalone CVSS score is moderate.

Root Cause

The root cause is unsafe lifetime management of GPU memory allocations [CWE-416]. A reference to a kernel object outlives the free operation, allowing later GPU memory processing routines to operate on a dangling pointer. Arm's advisory does not publicly enumerate the exact ioctl path, but the defect is contained within the GPU memory subsystem of the kernel driver.

Attack Vector

Exploitation requires local code execution on the device, such as a malicious or compromised application on an Android handset. The attacker issues crafted sequences of GPU operations against the driver to force a free of a memory object while keeping it referenced elsewhere. A follow-up operation then dereferences the freed allocation. Reliable exploitation typically pairs the dangling reference with a heap-spray to control the contents of reallocated memory, escalating the primitive toward kernel read/write. No proof-of-concept code is publicly available for CVE-2025-6349 at this time.

Detection Methods for CVE-2025-6349

Indicators of Compromise

• Unexpected kernel oops, panic, or KASAN reports referencing the mali_kbase driver in dmesg or logcat.
• Untrusted applications opening /dev/mali0 and issuing high volumes of GPU memory allocation, mapping, or import ioctls.
• Crashes or SELinux denials originating from app-domain processes touching the GPU device node.

Detection Strategies

• Inventory installed Arm GPU driver versions on managed Android and Linux fleets and flag any in the r53p0–r54p1 range.
• Hunt for processes interacting with /dev/mali0 outside of expected graphics, compute, or game workloads.
• Correlate GPU driver crash signatures with subsequent privilege changes or new process launches that indicate post-exploitation activity.

Monitoring Recommendations

• Forward kernel logs and Android system logs to a centralized analytics platform and alert on mali subsystem faults.
• Track mobile device management (MDM) compliance for vendor security patch levels that include the Arm advisory fixes.
• Monitor for newly sideloaded or untrusted applications on devices where GPU driver patches have not yet been applied.

How to Mitigate CVE-2025-6349

Immediate Actions Required

• Identify endpoints running Arm Valhall or 5th Gen GPU Architecture kernel drivers at versions r53p0 through r54p1.
• Apply the fixed driver release supplied by Arm or by the device OEM as soon as it is integrated into a vendor build.
• On Android fleets, enforce the latest available monthly security patch level via MDM policy.
• Restrict installation of untrusted applications on affected devices until patches are deployed.

Patch Information

Arm has documented the issue and remediation guidance in its Mali GPU kernel driver security notice. Refer to the ARM Developer Documentation for the fixed driver revision and integration instructions. Device-level fixes must be delivered by the SoC vendor or OEM through a firmware or system update; users cannot patch the kernel driver independently.

Workarounds

• No vendor-supplied workaround replaces the driver update; upgrading the kernel driver is the only complete fix.
• Reduce exposure by limiting which applications can run on affected devices, particularly those with access to the GPU device node.
• Disable sideloading and enforce application allowlisting on managed mobile endpoints until OEM patches arrive.

# Check the Mali GPU kernel driver version on an Android device via ADB
adb shell cat /sys/module/mali_kbase/version 2>/dev/null || \
  adb shell dmesg | grep -i "mali"

# Confirm the current Android security patch level
adb shell getprop ro.build.version.security_patch