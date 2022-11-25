Google, Samsung, Xiaomi, and various other Android device manufacturers have let five security vulnerabilities relating to Arm’s Mali GPU driver go unpatched for months, according to Google Project Zero.

This is despite the manufacturer having released fixes for the five medium-severity flaws in July and August 2022.

“These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo, and others),” Project Zero researcher Ian Beer said.

“Devices with a Mali GPU are currently vulnerable.”

The vulnerabilities relate to improper memory processing, which could allow a malicious actor access to freed memory.

The flaws are tracked collectively using the identifiers CVE-2022-33917 and CVE-2022-36449 with common vulnerability scoring system (CVSS) scores of 5.5 and 6.5, respectively.

The second vulnerability attracts a higher CVSS score, as Arm said it could be further exploited to write outside of buffer bounds and disclose memory mapping details.

According to Arm, the affected GPU drivers are as follows:

CVE-2022-33917 — Valhall GPU Kernel Driver: All versions from r29p0 to r38p0

— Valhall GPU Kernel Driver: All versions from r29p0 to r38p0 CVE-2022-36449 — Midgard GPU Kernel Driver: All versions from r4p0 to r32p0

— Midgard GPU Kernel Driver: All versions from r4p0 to r32p0 CVE-2022-36449 — Bifrost GPU Kernel Driver: All versions from r0p0 to r38p0, and r39p0

— Bifrost GPU Kernel Driver: All versions from r0p0 to r38p0, and r39p0 CVE-2022-36449 — Valhall GPU Kernel Driver: All versions from r19p0 to r38p0, and r39p0

If exploited successfully, the flaws could allow an attacker with permission to execute code through an app to take control of the device and workaround Android permissions to access more user data.