A report published by Google’s Project Zero security team revealed that there are five security vulnerabilities in the drivers for the Mali GPU graphics processing unit from Arm, which is found in millions of Android phones.
According to the report, the five vulnerabilities are still vulnerable to exploitation, although chip maker Arm fixed them months ago, exposing millions of users to cyberattacks.
There are drivers for the Mali graphics processing unit in phones from prominent companies, such as Google, Samsung, Xiaomi, and OPPO, in addition to many other smartphone manufacturers that are waiting for the fix to be available to present to users.
The report, published by the Project Zero team, highlights the “patch gap” issue that has plagued the Android supply chain, as it usually takes a few months for security updates for the firmware to reach affected devices.
OEM partners need time to test and implement repairs on their devices, a process that extends the time to end-user devices.
Mali GPU vulnerabilities and their impact on Android phones
The Project Zero team discovered the vulnerabilities last June, and they are being tracked with the following identifiers: CVE-2022-33917 and CVE-2022-36449.
CVE-2022-33917 allows an unprivileged user to perform inappropriate graphics processing operations to access free memory sections.
Another identifier CVE-2022-36449 includes issues that allow an unprivileged user to access freed memory, write outside buffer boundaries, and expose details of memory mappings.
While the severity of the issues is moderate, they are exploitable and affect a large number of Android devices.
The first identifier drivers are used in the Mali G710, Mali G610, and Mali G510 chips found in Google Pixel 7, Asus ROG Phone 6, Redmi Note 11, Redmi Note 12, Honor 70 Pro, Realme GT, Xiaomi 12 Pro, Oppo Find X5 Pro, Oppo Reno 8 Pro, Motorola Edge, and OnePlus 10R.
The drivers for the other identifier are in Mali G76, Mali G72, and Mali G52 chips older than 2018 and are used in Samsung Galaxy S10, Galaxy S9, Galaxy A51, Galaxy A71, and Redmi Note. 10, Huawei P30, Huawei P40 Pro, Honor View 20, Motorola Moto G60s, Realme 7.
The drivers for the other identifier are also used in the Mali T800 and Mali T700 chipsets launched in 2016, which are mainly found inside the phones: Samsung Galaxy S7, Galaxy Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, And LG X, and Redmi Note 4.
Currently, there is nothing users can do to mitigate the impact of these vulnerabilities except wait for the phone manufacturer to provide appropriate patches and monitor for potential threats.
Older models that use only a few other ID drivers are less likely to receive a patch install, so they should be replaced entirely.
It is noteworthy that the drivers for the Mali GPU graphics processing unit are used by SoC chips from companies such as MediaTek, Huawei’s HiSilicon Kirin, and Samsung’s Exynos, which powers most Android devices on the market.
It’s also worth noting that the fix from Arm hasn’t reached phone makers yet, but it’s being tested at Google for Android and Pixel phones. In a few weeks, the Android system will provide the patch to the companies that will release it for their phones.
