CVE-2025-0015 – A Use After Free vulnerability in Arm's Valhall... (How to Fix)

Q: What is the severity of CVE-2025-0015?

CVE-2025-0015 has a CVSS score of 7.8 (HIGH). A Use After Free vulnerability in Arm's Valhall and 5th Gen GPU kernel drivers allows local non-privileged users to access freed memory through improper GPU operations. This affects devices with specific Arm GPU driver versions, potentially leading to privilege escalation or system compromise.

📋 TL;DR

A Use After Free vulnerability in Arm's Valhall and 5th Gen GPU kernel drivers allows local non-privileged users to access freed memory through improper GPU operations. This affects devices with specific Arm GPU driver versions, potentially leading to privilege escalation or system compromise.

💻 Affected Systems

Products:

Arm Ltd Valhall GPU Kernel Driver
Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver

Versions: Valhall: r48p0 through r49p1, r50p0 through r52p0; 5th Gen: r48p0 through r49p1, r50p0 through r52p0

Operating Systems: Android, Linux distributions with affected Arm GPU drivers

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using Arm Mali GPUs with vulnerable driver versions. Typically found in mobile devices, embedded systems, and some servers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel-level access, allowing full system compromise, data theft, or persistence mechanisms installation.

🟠

Likely Case

Local privilege escalation enabling unauthorized access to sensitive data or system resources.

🟢

If Mitigated

Limited impact if proper access controls restrict local user accounts and GPU operations are monitored.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable via network.

🏢 Internal Only: HIGH - Local attackers or malicious insiders can exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and knowledge of GPU driver internals. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after r49p1 for r48-r49 series, after r52p0 for r50-r52 series

Vendor Advisory: https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

Restart Required: No

Instructions:

1. Check current GPU driver version. 2. Obtain updated driver from device manufacturer or Arm. 3. Apply driver update following vendor instructions. 4. Verify update applied successfully.

🔧 Temporary Workarounds

Restrict GPU access

Linux

Limit non-privileged user access to GPU operations through system permissions

chmod 750 /dev/mali0
setfacl -m u:user:r-- /dev/mali0

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges
Monitor system logs for unusual GPU driver activity or privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check GPU driver version via 'cat /sys/class/misc/mali0/device/driver/version' or vendor-specific commands

Check Version:

cat /sys/class/misc/mali0/device/driver/version 2>/dev/null || echo 'Driver not found'

Verify Fix Applied:

Verify driver version is outside affected ranges: not between r48p0-r49p1 or r50p0-r52p0

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages related to GPU driver
Unusual privilege escalation attempts from local users
GPU driver crash logs

Network Indicators:

None - local exploitation only

SIEM Query:

source="kernel" AND ("mali" OR "gpu") AND ("panic" OR "oops" OR "segfault")

📊 Metadata

CVE ID: CVE-2025-0015

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.05% exploit probability (15.5th percentile)

Published: February 3, 2025

Last Updated: December 18, 2025

🔗 References

https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0015, you might also want to check these: