>
Millions of Android devices are at risk of cyber-attacks due to slow and cumbersome patching (opens in new tab) process plaguing the decentralized mobile platform.
Cybersecurity researchers on Google’s Project Zero team discovered a total of five vulnerabilities affecting the Arm Mali GPU driver.
The errors are grouped under two identifiers – CVE-2022-33917 and CVE-202236449, and they provide threat actors with a variety of options, from accessing free memory sections to writing outside buffer limits. All have been given a severity score of “medium”.
More OEMs, slower patches
The bugs have since been patched, but hardware manufacturers have yet to apply these patches to their endpoints (opens in new tab). Unlike Apple, which is the sole maker of both hardware and software for the iPhone mobile ecosystem, Google isn’t the only company making the software and hardware for Android.
Besides Google with its Pixel phone, there are relatively many smartphone manufacturers that build Android devices such as Samsung, LG, Oppo and many others. All of these companies have their own custom versions of Android and their own approach to hardware. That said, when a vulnerability is discovered, each original equipment manufacturer (OEM) must apply the patch to their own devices. This may take some time as these patches sometimes conflict with device drivers or other components.
And that’s exactly the problem here.
The bugs affect Arm’s Mali GPU drivers codenamed Valhall, Bifrost, Midgard and a long list of devices including the Pixel 7, RealMe GT, Xiaomi 12 Pro, OnePlus 10R, Samsung Galaxy S10, Huawei P40 Pro and many, many others. The whole list can be found here (opens in new tab).
At this point, users can do nothing but wait for their respective manufacturers to apply the patch, as it should be delivered to OEMs within a few weeks.
Through: Beeping computer (opens in new tab)