A newly disclosed high-severity vulnerability, tracked as CVE-2025-0072, has been identified and patched in the Arm Mali GPU driver.
The flaw, discovered in late 2024 and fixed with the release of Mali driver version r54p0 in May 2025, enables a malicious Android application to bypass Arm’s Memory Tagging Extension (MTE) and achieve arbitrary kernel code execution.
The bug specifically affects recent Arm Mali GPUs utilizing the Command Stream Frontend (CSF) architecture a key component in devices such as Google’s Pixel 7, 8, and 9 series.
Technical Details of the Vulnerability
MTE is a sophisticated hardware-based memory safety mechanism on modern Arm architectures, designed to prevent exploitation of memory corruption vulnerabilities like buffer overflows and use-after-free bugs.
However, as the new vulnerability demonstrates, flaws in low-level driver code can undermine even robust mitigations.
The exploit targets the CSF command queue management within the Mali GPU driver.
CSF queues, represented by kbase_queue objects, facilitate communication between user-space applications and the GPU.
Through a sequence of ioctl calls (notably KBASE_IOCTL_CS_QUEUE_REGISTER, KBASE_IOCTL_CS_QUEUE_GROUP_CREATE, and KBASE_IOCTL_CS_QUEUE_BIND), a queue can be bound to a queue group and then mapped into user memory space.
The crux of the exploit leverages the ability to unbind and then rebind a kbase_queue to a new queue group after the original group is terminated.
During this process, GPU memory pages mapped into user space are improperly managed: previously allocated backing memory (queue->phys) can be replaced while the old memory mapping persists.
When the old mapping is unmapped, the new (still active) pages are inadvertently freed, resulting in a use-after-free condition.
The attacker, by controlling allocation timing, can cause these freed pages to be reallocated for critical driver data structures such as GPU page table global directories (PGDs).
Once user space retains a mapping to freed pages now used as PGDs, it becomes possible to alter GPU page tables from user space.
According to GitHub Report, this manipulation ultimately allows the mapping and modification of arbitrary kernel memory, including kernel code and security-critical data, granting full kernel code execution privileges.
Defeating the Memory Tagging Extension
One of the most concerning aspects of CVE-2025-0072 is its ability to bypass MTE, a mitigation specifically designed to catch use-after-free and similar memory safety errors.
Normally, the Linux kernel’s memory allocators and the Arm architecture collaborate to tag memory on allocation and check tags on dereference.
However, this exploit achieves bypass by exploiting details of page table insertion: the GPU driver uses functions that map physical memory pages into the user space address space without triggering the expected tag checks.
As such, even after the kernel’s buddy allocator releases a page, accessing it via the mapping does not cause MTE to raise an exception.
This demonstrates a subtle but critical gap: when device drivers map and unmap memory in ways the kernel does not fully mediate, features like MTE can be subverted.
The vulnerability was responsibly disclosed to Arm in December 2024, and promptly addressed in the May 2025 Mali driver update, which shipped alongside Android’s monthly security bulletin.
Given the prevalence of Arm Mali GPUs in flagship Android devices, timely patching is essential.
This case underscores the importance of rigorous security auditing in kernel device drivers, especially as hardware mitigations like MTE become standard.
Complex memory management code at the kernel boundary remains a fertile ground for attackers, and even advanced protections can be undermined by subtle logic errors.
Security researchers note that this attack path using driver-managed memory pools and carefully sequenced memory mappings may have wider relevance beyond the Mali GPU ecosystem, pointing to the ongoing need for defense-in-depth at all layers of the operating system stack.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
