CVE-2024-12837
Published: 07 March 2025
Summary
CVE-2024-12837 is a high-severity Use After Free (CWE-416) vulnerability in Imaginationtech (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-16 (Memory Protection).
Deeper analysis
CVE-2024-12837 is a use-after-free vulnerability (CWE-416) affecting GPU drivers from Imagination Technologies. The issue arises when software installed and run as a non-privileged user makes improper GPU system calls, leading to corruption of kernel heap memory. Published on 2025-03-07, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges, such as a standard user account, can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, potentially allowing kernel heap manipulation that could lead to arbitrary code execution or full system compromise.
Imagination Technologies has published details on mitigations in their GPU driver vulnerabilities advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54154
Vulnerability details
Software installed and run as a non-privileged user may conduct improper GPU system calls to corrupt kernel heap memory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The use-after-free vulnerability in the GPU kernel driver allows a low-privileged local user to trigger improper system calls that corrupt kernel heap memory, directly enabling exploitation for privilege escalation to achieve arbitrary code execution and full system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements controls to protect system memory from use-after-free vulnerabilities that enable kernel heap corruption via improper GPU system calls.
Ensures timely remediation and patching of the specific use-after-free flaw in Imagination Technologies GPU drivers as advised by the vendor.
Restricts and monitors user-installed software that could make improper GPU system calls to trigger the kernel heap corruption vulnerability.