According to Arm, a local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.
Arm officials wrote in an advisory: "This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. There is evidence that this vulnerability may be under limited, targeted exploitation. Users are recommended to upgrade if this issue impacts them."
The advisory warned: "A local non-privileged user can make improper GPU processing operations to access a limited amount outside buffer bounds or exploit a software race condition. If the user carefully prepares the system's memory, this could give them access to already freed memory."
Accessing system memory that's no longer in use is a common mechanism for loading malicious code into a location an attacker can then execute. This code often allows them to exploit other vulnerabilities or to install malicious payloads for spying on the phone user.
Attackers often gain local access to a mobile device by tricking users into downloading malicious applications from unofficial repositories. The advisory mentions drivers for the affected GPUs being vulnerable but does not mention the microcode that runs inside the chips.
The most prevalent platform affected by the vulnerability is Google's Pixels, which are one of the only Android models to receive security updates on a timely basis.
Google patched Pixels in its September update against the vulnerability, which is tracked as CVE-2023-4211. Google has also patched Chromebooks that use the vulnerable GPUs.
Any device that shows a patch level of 2023-09-01 or later is immune to attacks that exploit the vulnerability.
The device driver on patched devices will show as version r44p1 or r45p0. CVE-2023-4211 is present in Arm GPUs released over the past decade. The Arm chips affected are:
- Midgard GPU Kernel Driver: All versions from r12p0 - r32p0
- Bifrost GPU Kernel Driver: All versions from r0p0 - r42p0
- Valhall GPU Kernel Driver: All versions from r19p0 - r42p0
- Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 - r42p0