Arm and Qualcomm zero-days quietly patched in this month’s Android security updates
Catalin Cimpanu May 19, 2021

Arm and Qualcomm zero-days quietly patched in this month’s Android security updates

Arm and Qualcomm zero-days quietly patched in this month’s Android security updates

Google has updated today the May 2021 Android security bulletin to reveal that four of the bugs patched earlier this month “may be under limited, targeted exploitation.”

The OS maker has not provided any details about the attacks besides listing the CVE identifiers of the four vulnerabilities.

All four vulnerabilities impact GPU firmware code, with two bugs impacting the Arm Mali GPU driver while the other two impact the Qualcomm graphics component.

CVEDescription
CVE-2021-1905Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.
CVE-2021-1906Improper handling of address deregistration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.
CVE-2021-28663The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.
CVE-2021-28664The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0.

Android vulnerabilities are rarely seen exploited in the wild

Today’s update is a rare instance where Android bugs are being exploited in the wild. It’s usually iOS security flaws that are exploited by hackers in targeted attacks.

According to a spreadsheet maintained by the Google Project Zero team, since 2014, only six Android-related zero-days have been exploited in the wild, with the four bugs disclosed today representing two-thirds of that number.

The other two zero-days previously exploited in the wild include CVE-2020-11261, another bug in the Qualcomm graphics component that was patched earlier this year in the January 2021 Android security bulletin, and CVE-2019-2215, an Android exploit believed to have been developed by exploit broker NSO Group and sold to its customers and abused throughout 2019.

Although Google said the four bugs disclosed today had been used in targeted attacks, users who want to make sure they’re safe will want to update to the latest Android OS version.

Obviously, not all Android smartphones are impacted, but only those that use Arm or Qualcomm GPUs. See the Arm and Qualcomm security bulletins for a list of impacted chipsets.

The Record understands that this month’s security updates have been delayed by some smartphone vendors to make sure they shipped today’s Arm and Qualcomm fixes.

The disclosure of these zero-days also comes during the Google I/O developer conference and a day after Google announced Android 12, which has led many security experts to wonder if Google did not try to intentionally trying to bury this news in the avalanche of other Android-related news.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.