A critical vulnerability, identified as CVE-2025-0072, has been discovered in the Arm Mali GPU driver, posing a significant threat to devices with newer Mali GPUs utilizing the Command Stream Frontend (CSF) architecture, including Google’s Pixel 7, 8, and 9 series.
This flaw, reported to Arm on December 12, 2024, by a security researcher and subsequently patched in Mali driver version r54p0 released on May 2, 2025, as part of Android’s May 2025 security update, allows a malicious Android app to bypass the Memory Tagging Extension (MTE) and achieve arbitrary kernel code execution.
This exploit, successfully tested on a Pixel 8 with kernel MTE enabled, underscores the persistent challenges in securing low-level memory operations even with advanced hardware protections in place.
New CVE-2025-0072 Vulnerability
The vulnerability exploits the handling of CSF queues within the Mali GPU driver, specifically through the interaction of kbase_queue objects and kbase_queue_group structures managed via ioctls like KBASE_IOCTL_CS_QUEUE_BIND and KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE.
By carefully orchestrating the binding and termination of queues, an attacker can manipulate the queue->phys field to point to newly allocated GPU memory pages while maintaining user-space mappings to previously freed pages.
This creates a use-after-free scenario where freed memory pages remain accessible through user-space mappings.
Exploiting CSF Queues
The exploit further leverages this by reusing freed pages as page table global directories (PGD) for the GPU context, enabling the attacker to map and rewrite kernel memory, including kernel code, thus achieving full control over the system.
According to GitHub Report, this process also allows manipulation of process credentials to gain root access and disable SELinux, effectively compromising the device’s security model.
What makes this vulnerability particularly alarming is its ability to bypass MTE, a hardware-based security feature in Arm v8.5a architecture designed to detect memory corruption issues like use-after-free by tagging memory pointers and blocks.
Unlike a prior Mali GPU vulnerability (CVE-2023-6241) that accessed freed memory via GPU operations, CVE-2025-0072 accesses freed memory through user-space mappings created by the driver using functions like mgm_vmf_insert_pfn_prot.
This direct insertion of page frames into user-space page tables appears to avoid kernel-level dereferencing, thus evading MTE’s tag-checking mechanism even when pages are returned to the kernel’s buddy allocator.
This discovery highlights a critical gap in MTE’s protection scope, as user-space access to freed memory through driver-created mappings remains unchecked by current hardware and software safeguards.
CVE-2025-0072 reveals the limitations of even sophisticated memory safety mechanisms like MTE when confronted with vulnerabilities in custom memory pools and driver-specific mappings.
This exploit not only grants attackers kernel-level control over affected Android devices but also serves as a stark reminder of the need for comprehensive security audits and mitigations at all levels of system architecture.
As patches roll out, users of impacted Pixel devices are urged to apply the May 2025 security update to protect against this severe threat.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
