A set of five exploitable vulnerabilities in Arm’s Mali GPU driver remain unfixed months after the chip maker patched them, leaving potentially millions of Android devices exposed to attacks.
Devices from Google, Samsung, Xiaomi, Oppo, as well as other phone makers are currently impacted and waiting for a fix to reach users.
A report published by Google’s Project Zero team highlights the “patch gap” that plagues the supply chain in Android, as it typically takes several months for firmware security updates to trickle downstream to affected devices.
Original Equipment Maker (OEM) partners need time to test the fixes and implement them into their devices, a process that extends the time to reach end user devices.
Flaws and impact
CVE-2022-33917 allows a non-privileged user to make improper GPU processing operations to gain access to free memory sections. The vulnerability impacts Arm Mali GPU kernel drivers Valhall r29p0 to r38p0.
The second identifier, CVE-2022-36449, comprises issues that allow a non-privileged user to gain access to freed memory, write outside of buffer bounds, and disclose details of memory mappings.
It impacts Arm Mali GPU kernel drivers Midgard r4p0 through r32p0, Bifrost r0p0 through r38p0 and r39p0 before r38p1, and Valhall r19p0 through r38p0 and r39p0 before r38p1.
While the severity score of the issues is medium, they are exploitable and impact a wide number of Android devices.
Valhall drivers are used in Mali G710, G610, and G510 chips found inside the Google Pixel 7, Asus ROG Phone 6, Redmi Note 11 and 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro and Reno 8 Pro, Motorola Edge, and OnePlus 10R.
Bifrost drivers are used in the older (2018) Mali G76, G72, and G52 chips used by Samsung Galaxy S10, S9, A51 and A71, Redmi Note 10, Huawei P30 and P40 Pro, Honor View 20, Motorola Moto G60S, and Realme 7.
Midgard drivers are used in even older (2016) Mali T800 and T700 series chips, most notably found inside Samsung Galaxy S7 and Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, LG X, and Redmi Note 4.
There is nothing users can do to mitigate these flaws apart from waiting for the vendor to provide the appropriate patches and keep an eye out for potential threats.
Older models using Midgard drivers are extremely unlikely to receive a fixing patch, so these should be replaced altogether.
Mali GPU drivers are used by system-on-a-chip circuits from vendors such as MediaTek, HiSilicon Kirin, and Exyno, which power most Android devices on the market.
At the moment, the fix from Arm has not reached OEM partners and is being tested for Android and Pixel devices. In a few weeks, Android will be delivering the patch to its partners, who are reponsible for implementing the fix.