A set of five exploitable vulnerabilities in Arm’s Mali GPU driver remain unpatched months after the chipmaker patched them, potentially leaving millions of Android devices open to attack.

Devices from Google, Samsung, Xiaomi, Oppo, and other phone makers are currently impacted and awaiting a fix to reach users.

A report published by Google’s Project Zero The team highlights the “patching gap” plaguing Android’s supply chain, as it typically takes several months for firmware security updates to reach affected devices downstream.

OEM (Original Equipment Maker) partners need time to test patches and implement them in their devices, a process that extends the time it takes to reach end-user devices.

Flaws and impact

Project Zero discovered the vulnerabilities in June 2022. They are tracked as CVE-2022-33917 and CVE-2022-36449 (collective identifier for several security issues).

CVE-2022-33917 allows an unprivileged user to perform inappropriate GPU processing operations to access free memory sections. The vulnerability affects Arm Mali Valhall GPU core drivers r29p0 through r38p0.

The second identifier, CVE-2022-36449, includes issues that allow an unprivileged user to access freed memory, write outside buffer boundaries, and leak details of memory mappings.

This affects GPU core drivers Arm Mali Midgard r4p0 through r32p0, Bifrost r0p0 through r38p0 and r39p0 before r38p1, and Valhall r19p0 through r38p0 and r39p0 before r38p1.

Project Zero tracks these issues as 2325, 2327, 2331, 2333and 2334 and leaked technical details for each of them, along with demo code.

Although the severity score of the issues is average, they are exploitable and affect a large number of Android devices.

Valhall drivers are used in Mali G710, G610 and G510 chips present in Google Pixel 7, Asus ROG Phone 6, Redmi Note 11 and 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro and Reno 8 Pro . , Motorola Edge and OnePlus 10R.

Bifrost drivers are used in older Mali G76, G72 and G52 (2018) chips used by Samsung Galaxy S10, S9, A51 and A71, Redmi Note 10, Huawei P30 and P40 Pro, Honor View 20, Motorola Moto G60S and Realme. seven.

Midgard drivers are used in even older (2016) Mali T800 and T700 series chips, including Samsung Galaxy S7 and Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, LG X and Redmi Note 4.

There is nothing users can do to mitigate these flaws other than waiting for the vendor to provide appropriate patches and keeping an eye out for potential threats.

Older models using Midgard drivers are extremely unlikely to receive a repair patch, so they must be completely replaced.

Mali GPU drivers are used by system-on-chip devices from vendors such as MediaTek, HiSilicon Kirin, and Exyno, which power most Android devices on the market.

At this time, Arm’s patch has not reached OEM partners and is being tested for Android and Pixel devices. In a few weeks, Android will deliver the fix to its partners, who are responsible for implementing the fix.