CVE-2025-6573
Published: 09 August 2025
Summary
CVE-2025-6573 is a critical-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Imaginationtech (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 29.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-4 (Information in Shared System Resources).
Deeper analysis
CVE-2025-6573 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2025-08-09, affecting kernel software installed and running inside an untrusted or rich execution environment (REE). The flaw, classified under CWE-280 (improper handling of insufficient privileges or access), enables this kernel software to leak sensitive information from the trusted execution environment (TEE). It impacts Imagination Technologies GPU drivers, as detailed in their vulnerability advisory.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality by leaking TEE data, alongside high integrity and availability impacts, potentially enabling data theft, modification, or denial of service within the affected environments.
For mitigation details, including patches or workarounds, refer to the vendor advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24023
Vulnerability details
Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel info-leak in REE-to-TEE boundary directly enables local privilege escalation via exploitation and credential/sensitive-data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Hardware-enforced separation and policy enforcement mechanisms directly prevent REE kernel software from leaking sensitive TEE information by isolating trusted and untrusted environments.
Protects shared system resources to block unauthorized information transfer from TEE to untrusted REE kernel software, addressing the core leakage mechanism.
Enforces strict information flow control policies between TEE and REE, mitigating improper privilege handling that enables cross-environment data leakage.