Preface: The Valhall family of Mali GPUs uses the same top-level architecture as the previous generation Bifrost GPUs. The Valhall family uses a unified shader core architecture.
The Arm 5th generation GPU architecture, including the Immortalis and Mali GPUs, represents a modern design for mobile and other client devices.
Background: ioctl (Input/Output Control) is the primary syscall used by userspace GPU drivers to communicate with the kernel-space driver. It allows sending custom commands and structured data to the driver.
Typical ioctl operations in Mali drivers include:
MALI_IOCTL_ALLOC_MEM: Allocate GPU-accessible memoryMALI_IOCTL_FREE_MEM: Free previously allocated memoryMALI_IOCTL_SUBMIT_JOB: Submit a GPU job (e.g., shader execution)MALI_IOCTL_WAIT_JOB: Wait for job completionMALI_IOCTL_MAP_MEM: Map memory to userspace
The path bifrost-drivers/driver/product/kernel/drivers/gpu/arm indicates that the code within this directory is part of the kernel-space drivers for Arm Mali Bifrost GPUs.
Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to perform valid GPU processing operations, including via WebGL or WebGPU, to gain access to already freed memory.
Scope of impact: This issue affects Bifrost GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0.
Official announcement: Please see the link for details –
https://nvd.nist.gov/vuln/detail/CVE-2025-0932
https://developer.arm.com/documentation/110626/latest
Ref: Typo, attached code is free after use, is part of the remedy. The use after free not shown.