Askhat - stock.adobe.com

Spyware vendor exploiting kernel flaw in Arm Mali GPU drivers

Arm Mali GPUs affected by CVE-2023-4211, which was discovered by Google researchers, include a wide range of Android phones as well as ChromeOS devices such as Chromebooks.

An unnamed spyware vendor is exploiting a vulnerability in GPU kernel drivers developed by semiconductor and software giant Arm, according to a statement provided by Google to TechTarget Editorial.

The flaw, tracked as CVE-2023-4211, affects kernel drivers in Arm's Mali GPU, a popular processor series used in multiple technology sectors but commonly found in Android devices. According to Arm's advisory, a local, non-privileged user exploiting the vulnerability "can make improper GPU memory processing operations to gain access to already freed memory."

Moreover, Arm noted that "there is evidence that this vulnerability may be under limited, targeted exploitation."

The semiconductor vendor attributed discovery to Maddie Stone, security researcher at Google's Threat Analysis Group (TAG), and Jann Horn, security researcher at Google Project Zero. Though Arm disclosed CVE-2023-4211 on Monday, Google first referenced the vulnerability in a Chrome release blog post in August. Google released a patch for its Pixel devices, which feature Arm Mali GPUs, on Sept. 18.

A spokesperson for Google TAG told TechTarget Editorial that the group "can confirm the CVE was used in the wild by a commercial surveillance vendor" and that more technical details will be available at a later date in alignment with its vulnerability disclosure policy. Google uses the term "surveillance vendor" to refer to vendors that sell spyware, such as the NSO Group and Intellexa.

Update 10/4: In an email, an Arm spokesperson told TechTarget Editorial that it was informed of the issue on Aug. 4 but that the vulnerability "was already fixed when it was brought to our attention." Asked about why Arm disclosed the flaw now rather than earlier, the spokesperson said, "The timing of our public disclosure allowed for our ecosystem to have appropriate time to respond to the vulnerability."

Regarding the identity of the spyware vendor exploiting the flaw, the spokesperson said its identity "would be more appropriate to clarify with Google."

The flaw affects the following GPU kernel drivers (per the advisory):

  • All versions of Midgard GPU kernel drivers from r12p0 t0 r32p0.
  • All Bifrost GPU kernel driver versions from r0p0 to r42p0.
  • All Valhall GPU kernel driver versions from r19p0 to r42p0.
  • All versions of Arm's 5th Gen GPU Architecture kernel driver from r41p0 to r42p0.

CVE-2023-4211 has not been assigned a CVSS severity rating at press time.

Arm advises affected users to upgrade their GPU to a fixed version, which includes the r43p0 version of the Arm 5th Gen GPU Architecture Kernel Driver, Bifrost, and Valhall. For Midgard GPUs, "please contact Arm support."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities