Researchers at Google’s Project Zero began discovering vulnerabilities related to the Mali GPU driver in June, 2022, collectively tracked as CVE-2022-33917 and CVE-2022-36449. The first CVE allows non-privileged users to abuse GPU processing operations to access freed memory spaces, impacting Arm Mali GPU kernel drivers Valhall r29p0 to r38p0. The second CVE would allow a non-privileged user to manipulate freed memory to discover memory mapping details, impacting Arm Mali GPU kernel drivers Midgard r4p0 through r32p0, Bifrost r0p0 through r38p0 and r39p0 before r38p1, and Valhall r19p0 through r38p0 and r39p0 before r38p1.
The vulnerabilities are rated as medium severity, but affect a wide range of Android devices. These devices include:
Analyst Notes
Unfortunately, there are no options for users of these devices to patch these vulnerabilities at this time. The ARM GPU chip manufacturers have released the fix to the maintainers of Android who are testing the fix on Android/Pixel devices. Once the fix has been integrated into the Android code base, OEM partners will receive the patch from Android and will be responsible for implementing the fix and pushing it out to vulnerable Android devices. Users should regularly check for updates via their devices settings menu.
https://www.bleepingcomputer.com/news/security/mali-gpu-patch-gap-leaves-android-users-vulnerable-to-attacks/
