Medium

Use-After-Free in Arm Valhall / 5th Gen GPU Kernel Driver

IdentifiersCVE-2025-6349CWE-416· Use After Free

CVE-2025-6349 is a use-after-free vulnerability in Arm Ltd's Valhall GPU Kernel Driver and Arm 5th Gen GPU Architecture Kernel Driver. According to the provided content, a local non-privileged user process can perform improper GPU memory processing operations and gain access to memory that has already been freed. The issue affects driver versions from r53p0 through r54p1. The flaw is in the kernel GPU driver’s handling of GPU memory lifecycle/state, where freed memory can remain reachable through subsequent processing operations, creating a stale reference condition in kernel-space driver logic.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a local unprivileged process to access previously freed memory through the GPU kernel driver. In practice, this can expose sensitive data resident in reclaimed memory and may also create a path toward further memory corruption consequences depending on allocator state and exploitability on a given device build. The Android bulletin context classifies the issue as high severity in Arm Mali GPU components.

Mitigation

If you can’t patch tonight, do this now.

Until patched drivers are deployed, reduce exposure by limiting installation and execution of untrusted local applications, since the issue requires local code execution from a non-privileged process. Enterprise defenders should prioritize vendor security updates for affected Android devices, verify OEM integration of the Arm GPU driver fix, and restrict devices that cannot receive the December 2025 vendor patch level from accessing sensitive environments. No specific configuration-based workaround is provided in the supplied content.

Remediation

Patch, then assume compromise.

Update affected Arm Valhall GPU Kernel Driver and Arm 5th Gen GPU Architecture Kernel Driver versions from r53p0 through r54p1 to a vendor/OEM release that incorporates Arm's fix for CVE-2025-6349. On Android, deploy the relevant vendor firmware/security update included in the December 2025 Android Security Bulletin, preferably at the 2025-12-05 patch level or later where the vendor-specific GPU fixes are included.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Arm5th Gen Gpu Architecture Kernel Driverapplication

ArmValhall Gpu Kernel Driverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

socradar blogNews

Dec 2, 2025

December 2025 Android Security Bulletin: Two Zero-Day Flaws Exploited

High-severity vulnerability affecting Arm Mali GPU components (GPU driver class issues such as memory corruption/information disclosure/local privilege escalation are mentioned generally).

cyberthroneNews

Dec 2, 2025

Android Patch Update December 2025

High-severity ARM Mali GPU driver vulnerability fixed via vendor updates; could undermine graphics isolation and be chained with other issues.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-6349

NVD

nvd.nist.gov/vuln/detail/CVE-2025-6349

MITRE CWE · CWE-416

Use After Free

Vendor Advisory

developer.arm.com/documentation/110697/latest