Bypassing MTE with CVE-2025-0072

Memory Tagging Extension (MTE) is a security feature designed to prevent memory corruption vulnerabilities, yet recent exploits like CVE-2025-0072 reveal its limitations. This vulnerability, found in ARM's Mali GPU driver, allows a malicious Android app to bypass MTE and execute arbitrary kernel code, affecting devices such as Google's Pixel series. The exploit leverages the Command Stream Frontend (CSF) architecture, manipulating command queues to create a use-after-free scenario, which enables access to freed memory pages. Despite MTE’s hardware-level protections, the exploit bypasses them by accessing freed pages through user space mappings rather than kernel dereferencing, a more common attack vector. The flaw was addressed in a May 2025 update, highlighting ongoing challenges in ensuring memory safety even with advanced features like MTE.