Arm in a security advisory as we speak is warning of an actively exploited vulnerability affecting the widely-used Mali GPU drivers.
The flaw is at the moment tracked as CVE-2023-4211 and was found and reported to Arm by researchers of Google’s Menace Evaluation Group (TAG) and Undertaking Zero.
Particulars are usually not publicly obtainable however the security subject is described as an improper entry to freed reminiscence, an issue that would enable compromising or manipulating delicate knowledge.
“A neighborhood non-privileged consumer could make improper GPU reminiscence processing operations to realize entry to already freed reminiscence,” Arm explains within the advisory.
The corporate provides that it has discovered proof that the vulnerability “could also be beneath restricted, focused exploitation.”
The next driver variations are impacted by the vulnerability:
- Midgard GPU kernel driver: All variations from r12p0 to r32p0
- Bifrost GPU kernel driver: All variations from r0p0 to r42p0
- Valhall GPU kernel driver: All variations from r19p0 to r42p0
- Arm fifth Gen GPU structure kernel driver: All variations from r41p0 to r42p0
Midgard, Bifrost, and Valhall collection had been launched in 2013, 2016, and 2019, respectively, so that they concern older system fashions.
In style units utilizing the Valhall structure (Mali-G77) embrace the Samsung Galaxy S20/S20 FE, Xiaomi Redmi K30/K40, Motorola Edge 40, and OnePlus Nord 2.
Arm’s fifth-gen GPU structure was launched to the market in Might 2023, with the Mali-G720 and Mali-G620 chips geared toward premium, high-performance smartphones.
The seller says that the vulnerability has been addressed for the Bifrost, Valhall, and Arm fifth Gen GPU structure with kernel driver model r43p0 (launched on March 24, 2023). Midgard is now not supported, so it’s unlikely to get a patch for CVE-2023-4211.
The supply of a patch for a susceptible system depends upon how shortly the system maker and vendor handle to combine it in a dependable replace. Because the complexities of the provision chain range, some customers will obtain the repair earlier than others.
Different flaws Arm disclosed in the identical bulletin are CVE-2023-33200 and CVE-2023-34970, which permit a non-privileged consumer to take advantage of a race situation to carry out improper GPU operations to entry already freed reminiscence.
They impression Bifrost, Valhall and Arm’s fifth Gen GPU structure kernel driver variations as much as r44p0, with the advisable improve targets being r44p1 and r45p0 (launched on September 15, 2023).
All three vulnerabilities are exploitable by an attacker with native entry on the system, which is usually achieved by means of tricking customers to obtain functions from unofficial repositories.