cbcvebase.
CVE-2021-28663
published 2021-05-10

CVE-2021-28663: The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
12.08%
95.6th percentile
The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.

Affected

4 ranges
VendorProductVersion rangeFixed in
armbifrost_gpu_kernel_driver>= r0p0 < r29p0r29p0
armmidgard_gpu_kernel_driver>= r4p0 < r31p0r31p0
armvalhall_gpu_kernel_driver>= r19p0 < r29p0r29p0
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in the Arm Mali GPU kernel driver; target affected driver versions: Bifrost r0p0 through r28p0 (before r29p0), Valhall r19p0 through r28p0 (before r29p0), and Midgard r4p0 through r30p0
  • Exploitation vector is a non-privileged (low-privilege) user process making improper GPU memory operations via the Mali kernel driver to achieve root privilege escalation or information disclosure — monitor for unexpected privilege escalation from low-privileged processes interacting with Mali GPU driver ioctls
  • Root cause is a use-after-free in GPU memory operation handling in the Mali kernel driver; audit kernel crash dumps or KASAN/KFENCE reports referencing Mali GPU memory paths for exploitation evidence
  • Android Security Bulletin reference A-174259860 can be used to cross-reference patch status on Android devices; check for the 2021-05-01 security patch level as the minimum remediated baseline
  • ·The vulnerability is marked with an asterisk (A-174259860*) in the Android Security Bulletin, indicating the patch may not be publicly available; detection and patching may depend on OEM-specific driver updates
  • ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation; treat any unpatched Mali GPU driver in the affected version ranges as actively at risk

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.