CVE-2025-2879 is a vulnerability identified in the Arm Ltd Valhall GPU Kernel Driver and the Arm 5th Gen GPU Architecture Kernel Driver, affecting versions from r29p0 through r49p4 and r50p0 through r54p0. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. Specifically, a local non-privileged user process can exploit improper GPU processing operations to access sensitive data that should be protected by the kernel driver. This occurs because the GPU kernel driver fails to enforce adequate access controls or properly isolate sensitive data during GPU operations, allowing unauthorized read access. The CVSS v3.1 base score is 5.1 (medium severity), with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The vulnerability does not require elevated privileges or user interaction, making it easier for local attackers to exploit if they have access to the system. However, it is limited to local access, so remote exploitation is not feasible. No public exploits or patches are currently available, but the issue is published and tracked by Arm and the CVE database. This vulnerability could be leveraged to leak sensitive information from GPU memory or kernel data structures, potentially exposing cryptographic keys, user data, or other confidential information processed by the GPU. Given the widespread use of Arm GPUs in mobile devices, embedded systems, and increasingly in servers and edge computing, this vulnerability poses a risk to systems relying on these drivers for graphics or compute workloads.

For European organizations, the exposure of sensitive information via this vulnerability could lead to data breaches involving confidential user data, intellectual property, or cryptographic materials processed by GPUs. Industries relying on Arm-based devices, including telecommunications, automotive, IoT, and mobile sectors, may be particularly affected. The vulnerability's local access requirement limits remote exploitation but insider threats or compromised local accounts could exploit it to escalate data access. This could undermine data confidentiality and integrity, potentially violating GDPR and other data protection regulations, leading to legal and reputational consequences. Additionally, organizations using Arm GPUs in edge computing or cloud infrastructure may face risks if attackers gain local access to GPU-enabled nodes. The lack of availability impact reduces the risk of service disruption, but the confidentiality breach potential remains significant. The absence of known exploits in the wild currently lowers immediate risk but does not eliminate future exploitation possibilities once details become public.

European organizations should implement strict access controls to limit local user access to systems running affected Arm GPU drivers. Employing least privilege principles and monitoring for unusual GPU driver usage or local process behavior can help detect exploitation attempts. Virtualization or containerization strategies that isolate GPU access may reduce exposure. Organizations should track Arm Ltd advisories closely and apply patches or driver updates promptly once released. In the interim, disabling or restricting GPU kernel driver usage where feasible, especially on sensitive systems, can mitigate risk. Security teams should audit systems for the presence of affected driver versions and assess exposure based on device roles. Additionally, integrating GPU driver monitoring into endpoint detection and response (EDR) solutions can enhance detection capabilities. For critical environments, consider hardware-based security features or trusted execution environments to protect sensitive GPU workloads.