CVE-2024-12837
Published: 07 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2024-12837 is a use-after-free vulnerability (CWE-416) affecting GPU drivers from Imagination Technologies. The issue arises when software installed and run as a non-privileged user makes improper GPU system calls, leading to corruption of kernel heap memory. Published on 2025-03-07, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges, such as a standard user account, can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, potentially allowing kernel heap manipulation that could lead to arbitrary code execution or full system compromise.
Imagination Technologies has published details on mitigations in their GPU driver vulnerabilities advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The use-after-free vulnerability in the GPU kernel driver allows a low-privileged local user to trigger improper system calls that corrupt kernel heap memory, directly enabling exploitation for privilege escalation to achieve arbitrary code execution and full system compromise.