The Google ProjectZero team recently discovered multiple security vulnerabilities in the Mali GPU of the Samsung Exynos chipset. One of the vulnerabilities could lead to kernel memory corruption, another could leak physical memory addresses, and three more involve use-after-free.
The ProjectZero team says these vulnerabilities could allow an attacker to continue reading and writing physical pages after returning to the system. Or in other words, an attacker executing native code in an app could gain full access to the system and bypass the Android OS permission model.
These security vulnerabilities discovered by Project Zero were brought to ARM’s attention in June and July of this year. A month later, ARM fixed these Mali-related security flaws, but as of this writing, no smartphone manufacturers have applied security patches to address these vulnerabilities.
ARM designed Mali GPUs are currently used by many manufacturers, including Samsung, Xiaomi and OPPO, and the vulnerabilities were originally discovered while investigating Pixel 6 devices. Although the vulnerabilities were exposed by the Project Zero team, Google has not yet fixed them either.
Samsung devices such as the Galaxy S22 with Snapdragon processors are not affected by these vulnerabilities.
