Heimdal
article featured image

Contents:

Millions of Android devices are still vulnerable to a security risk due to five exploitable flaws in Arm’s Mali GPU driver, even though the vendor patched them months ago. 

As you can see from this list of vulnerable Google devices, there are many famous names, including ones made by Google and Samsung. Although a security fix is still on the way at the time of writing this, it’s good to know that some major vendors have released patches.

Project Zero, a team at Google that searches for and reports security problems in consumer products, recently highlighted the “patch gap” plaguing Android devices. It typically takes several months for firmware updates to reach devices on the supply chain.

Original Equipment Manufacturers need time to test and implement the fixes into their devices, a process that prolongs the time before the update reaches end-user devices.

In June of 2022, Project Zero found out about the vulnerabilities. These security flaws have been assigned the identifiers CVE-2022-33917 and CVE-2022-36449.

The ‘Patch Gap’ Flaws and Their Impact

CVE-2022-33917 is a vulnerability that allows a non-privileged user to perform improper GPU processing operations to access free memory sections. It impacts Arm Mali GPU kernel drivers Valhall r29p0 through r38p0.

The second identifier, CVE-2022-36449, consists of issues that allow a non-privileged user to gain access to freed memory, write outside of buffer bounds, and disclose details of memory mappings.

This security update impacts the Arm Mali GPU kernel drivers Midgard r4p0 through r32p0, Bifrost r0p0 through r38p0 and r39p0 before r38p1, and Valhall r19p0 through r38p0 and r39p before -r-38-p1.

Project Zero tracks these issues as numbers 2325, 2327, 2331, 2333, and 2334. Technical details for each of them have been provided.

The vulnerabilities detailed in this report can be used to exploit specific Android devices, leading to service disruptions. The severity of these issues is medium.

Google Pixel 7, Asus ROG Phone 6, Redmi Note 11, 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro, and Reno 8 Pro all have Mali G710, G610, and G510 chips inside them.

Bifrost drivers are used in the older (2018) Mali G76, G72, and G52 chips. They’re on Samsung Galaxy S10, S9, A51, and A71; Redmi Note 10, Huawei P30 and P40 Pro; Honor View 20, Motorola Moto G60S, and Realme 7.

This driver from Midgard is compatible with the Mali T800 and T700 series chips, most notably found inside the Samsung Galaxy S7 and Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, LG X, Redmi Note 4, and more.

Users have no way to combat these security flaws. They can only hope that the vendor provides appropriate patches and keeps an eye out to prevent damage or harm.

Older versions (e.g., Midgard) of these products are not likely to be included in any more fixings, so they should be replaced with newer models.

Most Android devices use Mali GPU drivers. This includes devices from MediaTek, HiSilicon, and Samsung.

The Arm fix for Spectre and Meltdown has yet to be delivered to all OEM partners but is being tested on Android and Pixel devices. In a few weeks, Android will provide the fix to its partnering OEMs responsible for implementing the fixes.

Conclusion

Google Project Zero says that security teams will have to remain vigilant in their efforts until there’s a better way to sync patches and updates.

Minimizing the ‘patch gap’ for a vendor in these scenarios is arguably more critical, as it allows end users (or other vendors downstream) to receive the security benefits of the patch.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE