Cyber Resilience

CVE-2021-28663

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 May 2021

Published
10 May 2021
Modified
03 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0362 88.1th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-28663 is a high-severity Use After Free (CWE-416) vulnerability in Arm Bifrost Gpu Kernel Driver. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

The vulnerability CVE-2021-28663 is a use-after-free flaw (CWE-416) in the Arm Mali GPU kernel driver stemming from mishandled GPU memory operations. It affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0, and carries a CVSS 3.1 score of 8.8.

An attacker with low privileges can exploit the issue over a network to obtain privilege escalation or information disclosure with high impact to confidentiality, integrity, and availability.

Arm security updates direct users to the Mali GPU kernel driver advisory pages for patches that resolve the affected versions by advancing to r29p0 or later releases as appropriate.

A public reference implementation is available on GitHub, though no details on in-the-wild exploitation are provided in the source material.

EU & UK References

Vulnerability details

The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through…

more

r30p0.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

arm
bifrost gpu kernel driver
r0p0 — r29p0
arm
midgard gpu kernel driver
r4p0 — r31p0
arm
valhall gpu kernel driver
r19p0 — r29p0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor-supplied Mali GPU driver patches that advance affected Bifrost/Valhall/Midgard versions to r29p0+ and eliminate the use-after-free.

prevent

Enforces memory-protection mechanisms that can block or contain the use-after-free condition arising from mishandled GPU memory operations in the kernel driver.

prevent

Limits the initial low-privilege context an attacker must obtain before the GPU driver flaw can be reached, thereby reducing the chance of successful privilege escalation.

References