Non-Snapdragon devices at risk from GPU exploits that have already been patched

No code is perfect, but when gaps are found that attackers can take advantage of, there’s always a chance it could open the floodgates for an unauthorized third party to gain full access to your devices. Luckily, it usually never comes to that, as these vulnerabilities are patched before disaster strikes, or quickly patched if it does. This is whytimely security patchesare important on thebest Android phones. That said, if your phone’s using a Mali GPU, you might want to take extra care for the next while as plugs for some recently-disclosed security holes are still making their way across devices.

Google’s Project Zero security research teamhas a blog postdetailing exploits it found based within Arm’s Mali GPU driver. Mobile chipsets from the likes of Samsung (Exynos), Google (Tensor), and MediaTek that include any Mali-branded GPU may be affected — not so much those owning devices running a Snapdragon SoC as those feature Qulacomm’s own Adreno GPU design.

4

Project Zero says one of its members performed an audit on the Mali GPU driver after a previous exploit it found was patched — they gave a presentation on that vulnerability at FirstCon22 in June.

Google says it reported these five issues to Arm months ago and they were promptly disclosed andfixed in the driver’s source. Yet, later downstream testing had revealed that the fixes have not made it to user builds, resulting in phones that are still vulnerable even today — despite the fact that Arm fixed these issues as early as July. Even recent Tensor-equipped Google Pixel phones are affected.

Google Home icon with some gadgets around it.

The aim of the post is to get OEMs to “mind the patch gap” and do their best to roll out security fixes to users as soon as possible. With a public callout like this, your phone’s manufacturer will be under pressure to pass along the patches — one Googler notes inProject Zero’s dedicated issue trackerthat the company will make manufacturers take the patches as part of future security patch requirements with Pixels being among the first to adopt them in “the coming weeks.”

The vulnerabilities are listed underCVE-2022-33917.

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes

UPDATE: 2022/11/27 18:26 EST BY JULES WANG

A spokesperson for Google reached out to note a patch rollout timeline as mentioned in a Project Zero Issue Tracker thread.

A great choice for those looking for value

The Google Play Store logo on a purple background

You can now learn languages too

Your new browser chrome-panion

arm-ap-hero

PlayStation Plus subscribers of all tiers are getting access to three excellent titles, including Psychonauts 2, in September

Get 14 ports for $170

All for better imaging