CVE-2025-6349 is a Use After Free (CWE-416) vulnerability identified in the Arm Ltd Valhall GPU Kernel Driver, specifically impacting versions from r53p0 through r54p1. The vulnerability arises from improper handling of GPU memory operations, where a local non-privileged process can access memory regions that have already been freed. This condition can lead to unauthorized access to sensitive data or corruption of memory contents, potentially allowing an attacker to escalate privileges or bypass security controls within the GPU driver context. The flaw affects the Arm 5th Gen GPU Architecture Kernel Driver, which is widely used in various embedded systems, mobile devices, and potentially in some server environments leveraging Arm-based GPUs. The vulnerability does not require elevated privileges or user interaction to exploit, but it does require local access to the system, limiting remote exploitation. The CVSS 3.1 base score is 5.1, reflecting a medium severity level due to the limited scope of impact (confidentiality and integrity only) and the local attack vector. No public exploits or patches are currently available, indicating that organizations should proactively monitor for updates. The vulnerability could be leveraged by attackers to read sensitive information from GPU memory or manipulate GPU operations, which may affect applications relying on GPU processing for security-sensitive tasks. Given the increasing use of Arm GPUs in consumer and industrial devices, this vulnerability represents a tangible risk for environments where local user access cannot be fully controlled.

For European organizations, the primary impact of CVE-2025-6349 lies in the potential compromise of confidentiality and integrity of data processed or stored in GPU memory. Organizations relying on Arm 5th Gen GPUs in workstations, embedded systems, or edge devices could face risks of unauthorized data disclosure or manipulation by local attackers. This is particularly concerning for sectors handling sensitive information such as finance, healthcare, and critical infrastructure, where GPU-accelerated computations may be involved. Although the vulnerability does not affect availability, the ability to access freed memory could facilitate further exploitation chains leading to privilege escalation or bypass of security mechanisms. The requirement for local access reduces the risk of widespread remote attacks but elevates the threat in environments with shared access or insufficient endpoint controls. European organizations with large deployments of Arm-based devices, especially in manufacturing, automotive, and telecommunications, may experience increased exposure. The lack of patches at present necessitates heightened vigilance and interim protective measures to mitigate potential exploitation.

1. Restrict local access to systems running affected Arm 5th Gen GPU drivers by enforcing strict user account controls and limiting physical and remote access to trusted personnel only. 2. Implement endpoint security solutions that monitor and alert on unusual GPU driver or memory access behaviors indicative of exploitation attempts. 3. Maintain an inventory of devices using the affected Valhall GPU Kernel Driver versions (r53p0 through r54p1) to identify vulnerable assets. 4. Engage with Arm Ltd and device vendors to obtain timely security patches or firmware updates once available and prioritize their deployment. 5. Consider isolating critical workloads from untrusted local users or running GPU-accelerated applications within sandboxed or virtualized environments to reduce attack surface. 6. Conduct regular security audits and penetration tests focusing on local privilege escalation vectors involving GPU drivers. 7. Educate users and administrators about the risks of local exploitation and enforce policies to prevent unauthorized software installation or execution. 8. Monitor threat intelligence feeds for any emerging exploit code or attack campaigns targeting this vulnerability to enable rapid response.