Google’s Project Zero this week highlighted the “gap” in getting security patches out the door and to affected users, and in doing so also revealed that millions of Android phones are at risk of an active security vulnerability.

The specific issue that Google’s Project Zero is highlighting this week is a security vulnerability known as CVE-2022-33917. It’s a vulnerability that affects devices using Arm’s Mali GPU, which means it affects Google Pixel, Samsung Galaxy, and countless other Android smartphones.

If exploited, it would allow an attacker to “read and write physical pages after they had been returned to the system,” potentially gaining “broad access” to a user’s data.

Arm apparently fixed these issues for its Mali GPUs a while back, after they were first discovered in June and July. But several months later, Project Zero found that many Android devices from Samsung, Oppo, Xiaomi, and even Google’s own Pixel lineup have yet to implement these fixes, leaving the vulnerability open.

We reported these five issues to ARM when they were discovered between June and July 2022. ARM fixed the issues promptly in July and August 2022, disclosing them as security issues on their Arm Mali Driver Vulnerabilities page (assigning CVE-2022-36449) and publishing the patched driver source on their public developer website.

…we discovered that all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins.

It’s worth noting that this doesn’t apply to devices using Qualcomm Snapdragon chips, as those do not use Arm’s Mali GPU. However, devices using MediaTek chips, Samsung Exynos, as well as Google Tensor are affected.


Update 11/27: In a statement from the Android and Pixel teams, Google says that a fix for this exploit is currently in testing and will be delivered in the “coming weeks.” The patch will also be required for Android partners.

The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.


More on Android:

FTC: We use income earning auto affiliate links. More.


Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Schoon

Ben is a writer and video producer for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.