Security researchers have identified a critical vulnerability in Arm’s Mali GPU driver, designated as CVE-2025-0072, which allows malicious Android applications to bypass Memory Tagging Extension (MTE) protections and achieve arbitrary kernel code execution. This flaw poses a significant threat to devices equipped with newer Arm Mali GPUs utilizing the Command Stream Frontend (CSF) architecture, including Google’s Pixel 7, 8, and 9 series smartphones.
Discovery and Disclosure
The vulnerability was discovered by security expert Man Yue Mo, who reported the issue to Arm on December 12, 2024. Following responsible disclosure practices, Arm addressed the vulnerability in Mali driver version r54p0, which was publicly released on May 2, 2025, and subsequently included in Android’s May 2025 security update.
Technical Details
The attack vector involves exploiting the communication mechanism between Mali GPUs and userland applications through command queues, specifically targeting the kbase_queue objects implementation within the driver. This vulnerability follows a concerning pattern of MTE bypass techniques, building upon similar research that Mo had previously published regarding CVE-2023-6241.
The exploitation technique centers on creating a page use-after-free condition that allows attackers to reuse freed memory pages as page table global directories (PGD) for GPU contexts. This approach enables the manipulation of GPU memory management structures, ultimately providing a pathway to arbitrary kernel code execution.
Implications
The significance of this vulnerability lies not only in its ability to compromise device security but also in its demonstration that modern hardware security extensions like MTE can be systematically bypassed through sophisticated driver-level attacks. Mo successfully developed and tested the exploit on a Pixel 8 device with kernel MTE enabled, indicating that the vulnerability affects real-world deployments where MTE is actively protecting against memory safety violations.
Mitigation and Recommendations
Users are strongly advised to update their devices to the latest firmware versions that include the patched Mali driver (r54p0 or later) to mitigate the risk associated with this vulnerability. Device manufacturers and software developers should also prioritize integrating these updates to ensure comprehensive protection against potential exploits.
