Google’s Project Zero this week highlighted the “gap” in getting security patches out the door and to affected users, and in doing so also revealed that millions of Android phones are at risk of an active security vulnerability.
The specific issue that Google’s Project Zero is highlighting this week is a security vulnerability known as CVE-2022-33917. It’s a vulnerability that affects devices using Arm’s Mali GPU, which means it affects Google Pixel, Samsung Galaxy, and countless other Android smartphones.
If exploited, it would allow an attacker to “read and write physical pages after they had been returned to the system,” potentially gaining “broad access” to a user’s data.
Arm apparently fixed these issues for its Mali GPUs a while back, after they were first discovered in June and July. But several months later, Project Zero found that many Android devices from Samsung, Oppo, Xiaomi, and even Google’s own Pixel lineup have yet to implement these fixes, leaving the vulnerability open.
We reported these five issues to ARM when they were discovered between June and July 2022. ARM fixed the issues promptly in July and August 2022, disclosing them as security issues on their Arm Mali Driver Vulnerabilities page (assigning CVE-2022-36449) and publishing the patched driver source on their public developer website.
…we discovered that all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins.
It’s worth noting that this doesn’t apply to devices using Qualcomm Snapdragon chips, as those do not use Arm’s Mali GPU. However, devices using MediaTek chips, Samsung Exynos, as well as Google Tensor are affected.
Update 11/27: In a statement from the Android and Pixel teams, Google says that a fix for this exploit is currently in testing and will be delivered in the “coming weeks.” The patch will also be required for Android partners.
The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.
More on Android:
- Gmail for Android’s bottom bar is now appearing more often
- Samsung boasts speedy Android 13 rollout, wants Android 14 to be even faster
- Google Voice is one of the first apps adding support for Android’s new image picker
FTC: We use income earning auto affiliate links. More.