Arm, Qualcomm warn GPU drivers are likely being exploited by hackers

The British semiconductor designer Arm and U.S. chip manufacturer Qualcomm issued separate warnings Monday that hackers are likely exploiting multiple vulnerabilities in their graphics processing units (GPUs).

A GPU is a specific type of chip mostly used for graphics-related tasks, such as rendering images and videos, but also for scientific calculations, training artificial intelligence and cryptocurrency mining.

Qualcomm said that it fixed vulnerabilities in its Adreno GPU but hasn't released much detail except that these vulnerabilities were “under limited, targeted exploitation.”

Arm, in turn, said that a security issue, tracked as CVE-2023-4211, could allow hackers to gain access to data stored on devices that use its popular GPU called Mali. The newly discovered flaw impacts certain versions of the Mali GPU kernel driver — a software component that helps the GPU and the operating system communicate.

Arm’s Mali GPUs are used on a variety of devices, including on Android phones developed by Google, Samsung, Huawei and Xiaomi, as well as Linux devices. Qualcomm is one of Arm’s biggest customers. Its GPUs are also used on many Android smartphones and tablets.

According to Arm’s advisory, threat actors can take advantage of the recently uncovered security flaw to access what's known as "freed memory" — the memory that has been previously allocated for a specific task but has been released and should no longer be accessible.

This kind of vulnerability might be used to load malicious code, extract sensitive information, or manipulate data.

Google's recent Android security update rates the seriousness of the flaw as "high."

Arm has not disclosed specific information about any attacks related to this new Mali GPU vulnerability but mentioned that the “vulnerability may be under limited, targeted exploitation.”

To stay safe from these attacks, users should update their GPU's kernel driver to the newest version. This applies to Mali GPUs with Bifrost, Valhall, or Arm 5th Generation architectures, according to the advisory.

Arm said it also patched two other security flaws in the Mali GPU kernel driver on Monday — CVE-2023-33200 and CVE-2023-34970 — which could allow hackers to gain unauthorized access to memory that should have been released or cleared.

This isn't the first time researchers discovered issues in Arm's Mali GPU kernel driver. Last year, a researcher known as Man Yue Mo on GitHub identified a security vulnerability in the Mali GPU kernel driver that could have enabled hackers to gain control over the Pixel 6's operating system. This issue was fixed in June of the same year.

According to Man Yue Mo, the GPU driver in Android could be an appealing target for attackers since it can be accessed by any compromised or malicious app.

Furthermore, most Android devices use either Qualcomm's Adreno GPU or the Arm Mali GPU. This means that by targeting just these two GPU drivers, it might be possible to gain widespread control over all Android devices with relatively few vulnerabilities, as noted by Man Yue Mo.