Bypassing MTE with CVE-2025-0072

This report analyzes CVE-2025-0072, a use-after-free in Arm Mali GPU CSF queues that an untrusted Android app can exploit to bypass Arm's Memory Tagging Extension and achieve arbitrary kernel code execution on affected devices (e.g., Pixel 7/8/9). The author walks through how queue bindings and GPU memory pool behavior enable freeing and reusing pages as GPU page tables, demonstrates how this yields kernel read/write and code modification, links a Pixel 8 exploit PoC, and notes the issue was fixed in Mali r54p0 and Android's May 2025 security update.