A set of 5 medium-severity safety flaws in Arm’s Mali GPU driver has continued to stay unpatched on Android units for months, regardless of fixes launched by the chipmaker.
Google Mission Zero, which found and reported the bugs, stated Arm addressed the shortcomings in July and August 2022.
“These fixes haven’t but made it downstream to affected Android units (together with Pixel, Samsung, Xiaomi, Oppo, and others),” Mission Zero researcher Ian Beer stated in a report. “Gadgets with a Mali GPU are at present weak.”
The vulnerabilities, collectively tracked beneath the identifiers CVE-2022-33917 (CVSS rating: 5.5) and CVE-2022-36449 (CVSS rating: 6.5), concern a case of improper reminiscence processing, thereby permitting a non-privileged consumer to achieve entry to freed reminiscence.
The second flaw, CVE-2022-36449, will be additional weaponized to jot down outdoors of buffer bounds and disclose particulars of reminiscence mappings, in line with an advisory issued by Arm. The checklist of affected drivers is under –
CVE-2022-33917
- Valhall GPU Kernel Driver: All variations from r29p0 – r38p0
CVE-2022-36449
- Midgard GPU Kernel Driver: All variations from r4p0 – r32p0
- Bifrost GPU Kernel Driver: All variations from r0p0 – r38p0, and r39p0
- Valhall GPU Kernel Driver: All variations from r19p0 – r38p0, and r39p0
The findings as soon as once more spotlight how patch gaps can render thousands and thousands of units weak without delay and put them susceptible to heightened exploitation by risk actors.
“Simply as customers are beneficial to patch as shortly as they will as soon as a launch containing safety updates is out there, so the identical applies to distributors and firms,” Beer stated.
“Corporations want to stay vigilant, comply with upstream sources intently, and do their greatest to supply full patches to customers as quickly as doable.”
