2 min

Tags in this article

, , , , ,

The latest update from Google fixes the most severe threat of the Mali GPU bug exploited as zero-day.

This week Google issued a security update that addresses dozens of vulnerabilities, including five that are deemed “critical” in their severity by the US Cybersecurity and Infrastructure Security Agency (CISA).

This week’s monthly security update for the Android platform, designated 2023-06-05, fixes a total of 56 vulnerabilities. One important standout fix is for a high-severity flaw in the Mali GPU kernel driver from Arm. This bug has been tagged by Google’s Threat Analysis Group (TAG) as possibly having been used in a spyware campaign targeting Samsung phones.

Bug allows unauthorised access to memory pages

The bug, designated as CVE-2022-22706, is described by NIST as “Arm Mali GPU Kernel Driver allows a non-privileged user to achieve write access to read-only memory pages”.

According to Google’s Security Bulleting of June 5: “There are indications that CVE-2022-22706 may be under limited, targeted exploitation”. It should be noted that this particular bug has been around a while. Google’s TAG researchers found an exploit chain using that vulnerability back in December 2022.

In fact, CISA ordered all US government agencies to patch their mobiles against CVE-2022-22706 in March.

CVE-2022-22706

The vulnerability has a severity score of 7.8 out of 10. This puts it in the “high” severity category.

According to Arm, the issue impacts the following kernel driver versions:

  • Midgard GPU Kernel Driver: All versions from r26p0 – r31p0
  • Bifrost GPU Kernel Driver: All versions from r0p0 – r35p0
  • Valhall GPU Kernel Driver: All versions from r19p0 – r35p0

Arm fixed the issue in Bifrost and Valhall GPU Kernel Driver r36p0 and in Midgard Kernel Driver r32p0, but the fix trickled into the stable version of Android only now.

Samsung addressed CVE-2022-22706 in its May 2023 update. “The company’s quick response to the active exploitation of the flaw is likely due to its users being explicitly targeted by the spyware campaign”.