PhantomMap: GPU-Assisted Kernel Exploitation
Jiayi Hu
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Systems Security
As CPU-side kernel exploitation has been increasingly hardened with mitigations like SLAB virtual, Samsung RKP, and KASLR, this talk introduces **PhantomMap** -- a GPU-assisted kernel exploitation technique that uses the **ARM Mali GPU driver's memory management subsystem** as a powerful exploitation primitive. The core finding is that the Mali GPU driver **decouples physical memory allocation from page table updates** and performs **zero validation on physical addresses** during memory mapping, enabling an attacker to remap arbitrary kernel memory into GPU user space with full read-write access.
AI review
This is the most impactful Android kernel exploitation technique I've seen in years. PhantomMap turns any heap corruption bug into direct kernel code injection via the Mali GPU driver's complete lack of physical address validation. No ROP, no info leak, no special capabilities -- just write shellcode through the GPU. Bypasses SLAB virtual and Samsung RKP. 15 exploit chains, 13 CVEs exploited, first public exploit for CVE-2025-21836. With Mali at 46% GPU market share, this affects a massive chunk of the Android ecosystem.