 |
| Mali GPU vulnerabilities leave millions |
According to a report by the Google Project Zero security team, there are five vulnerabilities in the Arm Mali GPU drivers that are present in millions of Android phones.
According to the report, all five vulnerabilities are still vulnerable to exploits, despite chip maker Arm patching them months ago, exposing millions of users to cyberattacks.
There are drivers for financial GPUs in phones from well-known companies such as: Google, Samsung, Xiaomi, and Oppo, as well as many other smartphone manufacturers that are waiting to provide users with fixes.
The report released by Team Zero Project highlights a "patch gap" issue plaguing the Android supply chain, where firmware security updates take months to reach affected devices.
OEM partners need time to test and implement repairs on their devices, a process that adds time to end-user devices.
Mali GPU vulnerability and its impact on Android phones
The Project Zero team discovered the vulnerabilities last June and tracked them with the following IDs: CVE-2022-33917 and CVE-2022-36449.
CVE-2022-33917 allows a non-privileged user to perform inappropriate graphics manipulation to access free portions of memory.
Other identifiers for CVE-2022-36449 include issues that allow unprivileged users to access shared memory, write outside buffer boundaries, and expose memory card details.
Although the issues are of moderate severity, they are exploitable and affect a large number of Android devices.
First ID driver for Mali G710, Mali G610, and Mali G510 chipsets found in: Google Pixel 7, Asus ROG Phone 6, Redmi Note 11, Redmi Note 12, Honor 70 Pro, Realme GT, Mi 12 Pro, Oppo Find X5 Pro, Oppo Reno 8 Pro, Motorola Edge, and OnePlus 10R.
Drivers for a different ID will be used in Mali G76, Mali G72 and Mali G52 chips in early 2018 and will be installed in Samsung Galaxy S10, Galaxy S9, Galaxy A51, Galaxy A71, Redmi Note.10, Huawei P30, Huawei P40 Pro, Honor uses View 20, Motorola Moto G60s, Realme 7.
Drivers for different ID are also used in Mali T800 and Mali T700 chipsets launched in 2016 and mainly found in phones: Samsung Galaxy S7, Galaxy Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, LG X, Redmi Grade 4.
Currently, users can do nothing to mitigate the impact of these vulnerabilities except wait for appropriate patches from phone manufacturers and monitor them for potential threats.
Older models that use only a few other ID drivers will likely not receive the patch installations, requiring their entire replacement.
Specifically, Mali GPU drivers are used by MediaTek SoC chips, HiSilicon Kirin from Huawei, and Exyno from Samsung that power most of the Android devices on the market.
It's also worth noting that the Arms Patch hasn't reached phone makers yet, but it's being tested at Google for Android and Pixel phones. In a few weeks, Android will provide companies with patches that they release to phones.