Five medium security flaws in Arm’s Mali GPU driver remain unpatched on Android devices for months, despite fixes released by the chipmaker.
Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022.
The vulnerabilities, collectively tracked under the identifiers CVE-2022-33917 with CVSS score: 5.5 and CVE-2022-36449 with CVSS score: 6.5, concern a case of improper memory processing, thereby allowing a non-privileged user to gain access to freed memory.
The list of affected drivers is below –
- Valhall GPU Kernel Driver: All versions from r29p0 – r38p0
- Midgard GPU Kernel Driver: All versions from r4p0 – r32p0
- Bifrost GPU Kernel Driver: All versions from r0p0 – r38p0, and r39p0
- Valhall GPU Kernel Driver: All versions from r19p0 – r38p0, and r39p0
This showcases a patching deviation can render millions of devices vulnerable at once and put them at risk of heightened exploitation by threat actors.
Google Project Zero researchers says that security teams will have to remain vigilant in their efforts until there’s a better way to sync patches and updates.
Minimizing the ‘patch gap’ for a vendor in these scenarios is arguably more critical, as it allows end users to receive the security benefits of the patch
Note : Part of this writeup referred from The Hacker News