Arm’s Mali GPU driver with a set of five medium-severity security flaws present on millions of Android devices still remains unpatched, even after fixes released by the chipmaker.
In July and August 2022, Arm addressed the shortcomings identified by Google Project Zero.
According to One Project Zero researcher, Ian Beer, “these fixes have not yet made it downstream to affected Android devices,” including Pixel, Samsung, Xiaomi, Oppo, and others. Devices with a Mali GPU are currently vulnerable.
The vulnerabilities, tracked under CVE-2022-33917 (CVSS score: 5.5) and CVE-2022-36449 (CVSS score: 6.5), concern improper memory processing in a case where a non-privileged user could gain access to the freed memory.
The second vulnerability, CVE-2022-36449, can be further exploited to write outside of buffer bounds and disclose details of memory mappings, according to an advisory issued by Arm. This list contains a number of affected drivers –
- Valhall GPU Kernel Driver: All versions from r29p0 – r38p0
- Midgard GPU Kernel Driver: All versions from r4p0 – r32p0
- Bifrost GPU Kernel Driver: All versions from r0p0 – r38p0, and r39p0
- Valhall GPU Kernel Driver: All versions from r19p0 – r38p0, and r39p0
Once again, these findings highlight how small vulnerabilities or gaps can open up huge opportunities for would-be threats to exploit.
“Just as users are recommended to patch as soon as security updates are available, so the same goes for vendors and companies,” Beer said.
Companies need to stay alert, follow upstream sources closely, and be responsive to user needs.