A set of vulnerabilities within ARM’s Mali mobile GPU drivers that have essentially gone unchecked and unfixed are now risking the details of potentially millions of Android devices to attacks. According to reports, there are at least five exploitable vulnerabilities that haven’t been addressed for months, after they were patched by the chipmaker.
These Mali GPU flaws were highlighted in a report by Google’s Project Zero team, who highlighted the gap, along with how fixing the issue would take months before the new security updates will make their way to affected devices. Devices affected by the vulnerabilities include those from brands such as Google, Samsung, Xiaomi, and Oppo.
Discovered in June of this year, the five Mali GPU vulnerabilities are tracked under the collective identifiers CVE-2022-33917 and CVE-2022-36449. The former allows non-privileged users to make improper GPU processing operations, in order to gain access to free memory sections.
The second Mali GPU identifier, CVE-2022-36449, basically allows non-privileged users to access freed memory, write outside of buffer bounds, and disclose details of memory mappings. On a related not, these issues seem to affect the kernel drivers of Midgard, Bifrost, and Valhall models.
As for which Mali GPUs are affected, the G710, G610, and G510 mobile GPUs. As for the phones that use these GPUs, the list for Valhall-based GPUs includes the Google Pixel 7, ASUS ROG Phone 6, Redmi Note 11 and Note 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro and Reno 8 Pro, Motorola Edge, and OnePlus 10R.
For the Mali GPUs based on Bifrost drivers, they include the G76, G72, and G52 chips found in the Samsung Galaxy S10, S9, A51 and A71, Redmi Note 10, Huawei P30 and P40 Pro, Honor View 20, Motorola Moto G60S and Realme 7.
Then, for Midgard-based Mali GPUs, the list includes the already archaic Mali T800 and T700 series chips, primarily founds within what are also essentially legacy devices at this point: the Samsung Galaxy S7 and Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, LG X, and Redmi Note 4.
The good news is that devices powered by Qualcomm’s Snapdragon chipset aren’t affected. At the time of writing, there still doesn’t appear to be a fix from ARM for the Mali GPU flaws. That being said, Google’s Android team should deliver a patch to its OEM partners, who are responsible for implementing said patch.
(Source: BleepingComputer, Google)
The post Unfixed ARM Mali GPU Security Gaps Leaves Millions Of Android Users Vulnerable appeared first on Lowyat.NET.