A set of five medium-severity security flaws in Arm's Mali GPU driver has continued to remain unpatched on Android devices for months, despite fixes released by the chipmaker.
Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022.
"These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo, and others)," Project Zero researcher Ian Beer said in a report. "Devices with a Mali GPU are currently vulnerable."
The vulnerabilities, collectively tracked under the identifiers CVE-2022-33917 (CVSS score: 5.5) and CVE-2022-36449 (CVSS score: 6.5), concern a case of improper memory processing, thereby allowing a non-privileged user to gain access to freed memory.
The second flaw, CVE-2022-36449, can be further weaponized to write outside of buffer bounds and disclose details of memory mappings, according to an advisory issued by Arm. The list of affected drivers is below -
CVE-2022-33917
- Valhall GPU Kernel Driver: All versions from r29p0 – r38p0
CVE-2022-36449
- Midgard GPU Kernel Driver: All versions from r4p0 – r32p0
- Bifrost GPU Kernel Driver: All versions from r0p0 – r38p0, and r39p0
- Valhall GPU Kernel Driver: All versions from r19p0 – r38p0, and r39p0
A successful exploitation of the flaws could permit an attacker with permissions to execute native code in an app context to seize control of the system and bypass Android's permissions model to gain broad access to user data.
Google told The Hacker News that the fix provided by Arm is currently undergoing testing for Android and Pixel devices, and that it's expected to be shipped in the coming weeks. Other Android handset makers are required to take the patch to comply with future security patch level (SPL) requirements.
The findings once again highlight how patch gaps can render millions of devices vulnerable at once and put them at risk of heightened exploitation by threat actors.
"Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies," Beer said.
"Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible."