Google Project Zero disclosed that several smartphone manufacturers have failed to provide patches for vulnerabilities in Android GPUs.

Google Project Zero, a security division focussed on identifying vulnerabilities, warns that several Android smartphone manufacturers have yet to release fixes for vulnerabilities found in Arm’s Mali GPU driver earlier this year.

Arm’s Mali GPU driver was found to have five severe security issues in June, July and August. Three of the five flaws can result in a physical page use-after-free condition. One can lead to physical addresses being exposed and another is capable of damaging kernel memory.

Manufacturers at fault

In a blog post from Project Zero on November 22, security professional Ian Beer outlined how the Mali vulnerabilities “collided” with exploits found on dark web pages that advertise zero-days to cybercriminals.

To its credit, Arm patched the five vulnerabilities from July to August, released the updated drivers on its developer website and acknowledged the issues on its vulnerabilities page.

Forward to late November, and the major vendors that process the driver in their smartphones have yet to push any patches. Project Zero specifically named Samsung, Xiaomi, Guangdong Oppo Mobile Telecommunications and Google Pixel.

Beer emphasizes that providers, including Google, are required to provide users with security upgrades. “Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies”, he said.

“Minimizing the ‘patch gap’ as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.”