A set of 5 medium-severity safety flaws in Arm’s Mali GPU driver has continued to stay unpatched on Android units for months, regardless of fixes launched by the chipmaker.
Google Project Zero, which found and reported the bugs, mentioned Arm addressed the shortcomings in July and August 2022.
“These fixes haven’t but made it downstream to affected Android units (together with Pixel, Samsung, Xiaomi, Oppo, and others),” Project Zero researcher Ian Beer mentioned in a report. “Devices with a Mali GPU are at present susceptible.”
The vulnerabilities, collectively tracked underneath the identifiers CVE-2022-33917 (CVSS rating: 5.5) and CVE-2022-36449 (CVSS rating: 6.5), concern a case of improper reminiscence processing, thereby permitting a non-privileged consumer to achieve entry to freed reminiscence.
The second flaw, CVE-2022-36449, might be additional weaponized to write down exterior of buffer bounds and disclose particulars of reminiscence mappings, in keeping with an advisory issued by Arm. The listing of affected drivers is under –
CVE-2022-33917
- Valhall GPU Kernel Driver: All variations from r29p0 – r38p0
CVE-2022-36449
- Midgard GPU Kernel Driver: All variations from r4p0 – r32p0
- Bifrost GPU Kernel Driver: All variations from r0p0 – r38p0, and r39p0
- Valhall GPU Kernel Driver: All variations from r19p0 – r38p0, and r39p0
The findings as soon as once more spotlight how patch gaps can render tens of millions of units susceptible without delay and put them liable to heightened exploitation by risk actors.
“Just as customers are really helpful to patch as rapidly as they will as soon as a launch containing safety updates is accessible, so the identical applies to distributors and firms,” Beer mentioned.
“Companies want to stay vigilant, comply with upstream sources carefully, and do their finest to offer full patches to customers as quickly as doable.”