CVE-2021-28664
published 2021-05-10CVE-2021-28664: The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write…
PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
5.46%
91.8th percentile
The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r8p0 through r30p0 before r31p0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arm | bifrost_gpu_kernel_driver | >= r0p0 < r29p0 | r29p0 |
| arm | midgard_gpu_kernel_driver | >= r8p0 < r31p0 | r31p0 |
| arm | valhall_gpu_kernel_driver | >= r19p0 < r29p0 | r29p0 |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Privilege escalation via unprivileged user achieving read/write access to read-only pages through the Arm Mali GPU kernel driver ↗
- →Affected component is the Mali GPU kernel driver; monitor for anomalous Mali driver interactions on Android devices, particularly unexpected memory permission changes ↗
- →Exploitation may result in root privilege escalation, memory corruption, or modification of other processes' memory — monitor for unexpected privilege escalation from non-privileged processes on Mali GPU-equipped devices ↗
- ·Vulnerability affects Bifrost r0p0 through r29p0 (fixed in r30p0), Valhall r19p0 through r29p0 (fixed in r30p0), and Midgard r8p0 through r30p0 (fixed in r31p0) — scope detection/patching efforts to these driver version ranges ↗
- ·Android Security Bulletin reference A-174588870 is marked with an asterisk (*), indicating the patch may not be publicly available and may require OEM-specific updates ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w62f-9gm7-596f: The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/wr
ghsa_unreviewed·2022-05-24
CVE-2021-28664 [HIGH] CWE-269 GHSA-w62f-9gm7-596f: The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/wr
The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
OSV
CVE-2021-28664: In kbase_mem_flags_change of mali_kbase_mem_linux
osv·2021-05-01
CVE-2021-28664 CVE-2021-28664: In kbase_mem_flags_change of mali_kbase_mem_linux
In kbase_mem_flags_change of mali_kbase_mem_linux.c, there is a possible overlapping kernel memory regions due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
VulnCheck
Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-28664 [HIGH] CWE-787 Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability
Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability
Arm Mali Graphics Processing Unit (GPU) kernel driver contains an unspecified vulnerability that may allow a non-privileged user to gain write access to read-only memory, gain root privilege, corrupt memory, and modify the memory of other processes.
Affected: Arm Mali Graphics Processing Unit (GPU)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf
Remediation Due: 2021-11-17
Project0
Project Zero RCA: CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
project_zero·CVSS 8.8
CVE-2021-39793 [HIGH] Project Zero RCA: CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
# CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
*Jann Horn*
## The Basics
**Disclosure or Patch Date:** March 7, 2022
**Product:** Arm Mali GPU driver for Linux/Android
**Advisory:**
- from Arm (upstream): https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
- from Google Pixel: https://source.android.com/security/bulletin/pixel/2022-03-01#pixel
**Affected Versions:** see Arm advisory (note that the affected version range
for the Bifrost version of the related CVE-2021-28664 seems to be off-by-one)
**First Patched Version:**
- for Arm: see Arm advisory
- for Pixel: patch level 2022-03-05
**Issue/Bug Report:** N/A
**Patch CL:** https://android.googlesource.com/kernel/google-modules/gpu/+/5381ff7b410
CISA
Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2021-28664 [HIGH] CWE-787 Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability
Vulnerability: Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability
Affected: Arm Mali Graphics Processing Unit (GPU)
Arm Mali Graphics Processing Unit (GPU) kernel driver contains an unspecified vulnerability that may allow a non-privileged user to gain write access to read-only memory, gain root privilege, corrupt memory, and modify the memory of other processes.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-28664
Remediation Due Date: 2021-11-17
Android
CVE-2021-28664: Mali
vendor_android·2021-05-01·CVSS 8.8
CVE-2021-28664 [HIGH] CVE-2021-28664: Mali
Android Security Bulletin 2021-05-01
CVE: CVE-2021-28664
Severity: HIGH
Component: Mali
References: A-174588870*
No detection rules found.
No public exploits indexed.
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilitieshttps://developer.arm.com/support/arm-security-updateshttps://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driverhttps://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilitieshttps://developer.arm.com/support/arm-security-updateshttps://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driverhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28664
2021-05-10
Published
2021-11-03
Added to CISA KEV
Exploited in the wild