A set of 5 medium-severity safety flaws in Arm’s Mali GPU driver has continued to stay unpatched on Android gadgets for months, regardless of fixes launched by the chipmaker.
Google Challenge Zero, which found and reported the bugs, stated Arm addressed the shortcomings in July and August 2022.
“These fixes haven’t but made it downstream to affected Android gadgets (together with Pixel, Samsung, Xiaomi, Oppo, and others),” Challenge Zero researcher Ian Beer stated in a report. “Units with a Mali GPU are at the moment weak.”
The vulnerabilities, collectively tracked beneath the identifiers CVE-2022-33917 (CVSS rating: 5.5) and CVE-2022-36449 (CVSS rating: 6.5), concern a case of improper reminiscence processing, thereby permitting a non-privileged consumer to achieve entry to freed reminiscence.
The second flaw, CVE-2022-36449, could be additional weaponized to jot down outdoors of buffer bounds and disclose particulars of reminiscence mappings, in accordance with an advisory issued by Arm. The checklist of affected drivers is under –
- Valhall GPU Kernel Driver: All variations from r29p0 – r38p0
- Midgard GPU Kernel Driver: All variations from r4p0 – r32p0
- Bifrost GPU Kernel Driver: All variations from r0p0 – r38p0, and r39p0
- Valhall GPU Kernel Driver: All variations from r19p0 – r38p0, and r39p0
The findings as soon as once more spotlight how patch gaps can render thousands and thousands of gadgets weak directly and put them susceptible to heightened exploitation by risk actors.
“Simply as customers are really useful to patch as rapidly as they will as soon as a launch containing safety updates is obtainable, so the identical applies to distributors and corporations,” Beer stated.
“Firms want to stay vigilant, comply with upstream sources carefully, and do their greatest to supply full patches to customers as quickly as attainable.”