CVE-2021-29256
Published: 24 May 2021
Summary
CVE-2021-29256 is a high-severity Use After Free (CWE-416) vulnerability in Arm Bifrost Gpu Kernel Driver. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 28.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a use-after-free flaw, identified as CWE-416, in the Arm Mali GPU kernel driver. It permits an unprivileged user to access freed memory and affects Bifrost GPU drivers from r16p0 through r29p0 (prior to r30p0), Valhall drivers from r19p0 through r29p0 (prior to r30p0), and Midgard drivers from r28p0 through r30p0. The issue carries a CVSS 3.1 base score of 8.8.
An attacker with low privileges can exploit the flaw over a network-accessible path without user interaction, resulting in information disclosure or escalation to root privileges on affected systems.
Arm has published security updates addressing the Mali GPU kernel driver, and the vulnerability appears in CISA's catalog of known exploited vulnerabilities in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-15895
Vulnerability details
. The Arm Mali GPU kernel driver allows an unprivileged user to achieve access to freed memory, leading to information disclosure or root privilege escalation. This affects Bifrost r16p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and…
more
Midgard r28p0 through r30p0.
- CWE(s)
- KEV Date Added
- 07 July 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements memory protection safeguards that block use-after-free access to freed kernel memory in the Mali GPU driver.
Requires timely application of the vendor patches that close the use-after-free flaw in Bifrost/Valhall/Midgard drivers before r30p0.
Enforces least privilege so that an unprivileged user cannot reach the vulnerable kernel driver path or retain escalated root access after exploitation.