CVE-2025-8045 Overview
CVE-2025-8045 is a use-after-free vulnerability [CWE-416] in the Arm Valhall GPU Kernel Driver and Arm 5th Gen GPU Architecture Kernel Driver. A local non-privileged user process can issue improper GPU processing operations to access already-freed kernel memory. The flaw affects driver versions r53p0 through r54p1 on both driver lines. Successful exploitation can result in disclosure of kernel memory contents to an unprivileged process running on the device. The issue requires local access and no user interaction, making it relevant on multi-user systems and Android handsets where attacker-controlled code may already run with low privileges.
Critical Impact
A local non-privileged process can read freed GPU kernel memory, potentially leaking sensitive data from the kernel or other workloads sharing the GPU.
Affected Products
- Arm Valhall GPU Kernel Driver versions r53p0 through r54p1
- Arm 5th Gen GPU Architecture Kernel Driver versions r53p0 through r54p1
- Devices (including Android handsets and Linux systems) shipping the affected Mali GPU kernel drivers
Discovery Timeline
- 2025-12-01 - CVE-2025-8045 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-8045
Vulnerability Analysis
The defect is a classic use-after-free in the Arm Mali GPU kernel driver. The driver frees a memory object while another code path retains a reference to it. A subsequent GPU processing request dereferences the stale pointer and operates on memory that has been released back to the kernel allocator. Because the GPU driver runs in kernel context, the resulting access reads kernel-resident data and returns observable state to a userspace caller.
The vulnerability impacts confidentiality only. The CVSS vector indicates no integrity or availability impact, and the scope is unchanged. Exploitation does not require privileges or user interaction, but the attacker must execute code locally on the device.
Root Cause
The root cause is improper lifetime management of a GPU memory object inside the kernel driver. Specifically, the driver releases a buffer or descriptor without invalidating all outstanding references held by concurrent GPU command-submission paths. When a subsequent ioctl-driven GPU operation reuses the dangling reference, the driver reads from the freed allocation. Depending on allocator state, that region may already contain kernel data belonging to another subsystem, enabling information disclosure.
Attack Vector
A local non-privileged user process opens the Mali GPU device node and issues crafted GPU processing operations through the standard driver ioctl interface. The sequence triggers the free of an object that the driver continues to use, then performs an operation that reads the stale memory. The user-mode caller receives results derived from freed kernel memory. No network access, elevated privileges, or social engineering is needed. The vulnerability described in the advisory does not require a code example. Refer to the ARM Developer Documentation for driver-specific details.
Detection Methods for CVE-2025-8045
Indicators of Compromise
- Unexpected processes opening /dev/mali0 or equivalent GPU device nodes without legitimate graphics workloads
- Anomalous ioctl call patterns against the Mali kernel driver from non-graphical or background processes
- Kernel logs (dmesg) showing GPU driver warnings, KASAN reports, or page-fault traces tied to the Mali driver
Detection Strategies
- Inventory installed Mali GPU kernel driver versions across Android and Linux fleets and flag any in the r53p0 through r54p1 range
- Hunt for low-privileged processes that invoke GPU driver syscalls outside expected application contexts such as renderers or compositors
- Correlate device-node access with process lineage to identify untrusted binaries touching the GPU driver
Monitoring Recommendations
- Forward kernel and auditd events for /dev/mali* access into a centralized log platform for retroactive hunting
- Enable KASAN or equivalent memory-safety instrumentation on test builds to surface latent use-after-free conditions
- Track vendor advisories and OEM patch levels so devices remain at the latest Arm-published driver revision
How to Mitigate CVE-2025-8045
Immediate Actions Required
- Identify all systems running Valhall or 5th Gen GPU Architecture kernel drivers in the affected version range
- Apply the fixed driver release published by Arm and propagated by the SoC or OEM vendor as soon as it is available
- Restrict execution of untrusted local code on affected devices, especially shared or multi-tenant systems
Patch Information
Arm has published guidance covering the affected drivers in the ARM Developer Documentation. Upgrade the Valhall GPU Kernel Driver and Arm 5th Gen GPU Architecture Kernel Driver to a version later than r54p1 once made available through the SoC vendor or OEM. On Android, apply the monthly security patch level that incorporates the fixed Mali driver from the device manufacturer.
Workarounds
- Limit installation of untrusted applications on affected devices until the patched driver is deployed
- Where feasible, restrict access to GPU device nodes via SELinux or Linux DAC policies to trusted system components only
- Monitor process-level access to the Mali device node and alert on unexpected callers
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
