According to Google’s Project Zero team of security analysts, millions of Android handsets are vulnerable to an unpatched vulnerability known as CVE-2022-33917. CVE stands for Common Vulnerabilities and Exposures , and each CVE number refers to a specific flaw. The aforementioned CVE is a vulnerability that affects Android devices that are equipped with ARM’s Mali GPU. That means that Google Pixel and Samsung Galaxy handsets are affected along with Android smartphones made by many other manufacturers.
Until the patch is disseminated, attackers can potentially exploit the flaw. Google says that this would allow attackers to “continue to read and write physical pages after they had been returned to the system.” Furthermore, the company adds that “by forcing the kernel to reuse these pages as page tables, an attacker with native code execution in an app context could gain full access to the system, bypassing Android’s permissions model and allowing broad access to user data.”
Project Zero notes that it told ARM about the vulnerabilities and ARM “promptly” fixed the issues in July and August of this year. ARM assigned the CVE-2022-33917 number to the flaw. But Google later found “that all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins.” In other words, devices made by Google’s own Pixel team, Samsung, Oppo, and Xiaomi were never patched and still have this exploitable vulnerability.
Keep in mind that the phones at risk sport a Mali GPU which eliminates devices powered by a Snapdragon chipset. However, handsets using Google Tensor, Exynos, or MediaTek chips need to be patched. The good news is that Google is testing a patch that is expected to be pushed out “in the coming weeks.” Phone manufacturers building Android devices will also need to include it.
Google’s statement reads, “The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.”
And Google also has words of wisdom for Android vendors trying to prevent a similar incident from popping up in the future. The company makes it clear that vendors have a responsibility to patch their software flaws just like Android users must download security updates as soon as they are received.
“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies. Minimizing the “patch gap” as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch,” Google wrote.
The search giant added that “Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”
Google has not said that the vulnerability has been exploited by any attackers but for the time being it remains a flaw that can be used to steal the personal data on certain Android phones. When the update does arrive-and Google has said that it will be coming soon-if you have an Android phone at risk, install the update immediately. You can quickly determine if you device is vulnerable by looking at the specs for your phone on PhoneArena and checking to see the manufacturer of the GPU on the device.
If it shows that you have an ARM Mali graphics processing unit (GPU), your device is at risk. Keep checking in as we will update this story when the patch is disseminated.