cbcvebase.
CVE-2021-29256
published 2021-05-24

CVE-2021-29256: . The Arm Mali GPU kernel driver allows an unprivileged user to achieve access to freed memory, leading to information disclosure or root privilege escalation…

PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-07-28
Exploited in the wild
EPSS
3.02%
85.8th percentile
. The Arm Mali GPU kernel driver allows an unprivileged user to achieve access to freed memory, leading to information disclosure or root privilege escalation. This affects Bifrost r16p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r28p0 through r30p0.

Affected

4 ranges
VendorProductVersion rangeFixed in
armbifrost_gpu_kernel_driver>= r16p0 < r30p0r30p0
armmidgard_gpu_kernel_driver>= r28p0 < r31p0r31p0
armvalhall_gpu_kernel_driver>= r19p0 < r30p0r30p0
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

  • Target is the Arm Mali GPU kernel driver; look for unprivileged processes interacting with Mali GPU kernel driver interfaces (Bifrost, Valhall, Midgard) that result in use-after-free conditions leading to privilege escalation or memory disclosure.
  • Flag any process running at low privilege that subsequently gains root — particularly on Android devices with Mali GPUs — as a potential exploitation indicator for this UAF vulnerability.
  • Scope detection to Mali GPU driver versions: Bifrost r16p0–r29p0, Valhall r19p0–r29p0, and Midgard r28p0–r30p0 (all before r30p0 fix). Audit installed driver versions on Android/Linux devices with Mali GPUs.
  • Android Security Bulletin reference A-283489460 can be used to cross-reference patched builds; devices missing the 2023-07-01 Android security patch level on Mali-equipped hardware remain vulnerable.
  • ·Midgard r30p0 is listed as an affected version (not a fixed version), unlike Bifrost and Valhall where r30p0 is the fix. Ensure detection/patching scope correctly distinguishes Midgard r28p0–r30p0 as all vulnerable.
  • ·The Android Security Bulletin entry is marked with an asterisk (*) on the reference A-283489460, which typically indicates the patch is not publicly available — verify patch availability through OEM channels before assuming remediation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.