⚠ Actively exploited
Added to CISA KEV on 2023-03-30. Federal agencies required to patch by 2023-04-20. Required action: Apply updates per vendor instructions..

CVE-2022-22706Improper Restriction of Operations within the Bounds of a Memory Buffer in ARM Bifrost GPU Kernel Driver

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 74.02%
CISA KEV
KEV
Added 2023-03-30
Due 2023-04-20
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
ARM Bifrost GPU Kernel DriverARM Midgard GPU Kernel DriverARM Valhall GPU Kernel Driver+1 more
Timeline
PublishedMar 3
KEV addedMar 30
KEV dueApr 20
Latest updateSep 1
CISA Required Action: Apply updates per vendor instructions.

Description

Arm Mali GPU Kernel Driver allows a non-privileged user to achieve write access to read-only memory pages. This affects Midgard r26p0 through r31p0, Bifrost r0p0 through r35p0, and Valhall r19p0 through r35p0.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

NVDarm/bifrost_gpu_kernel_driverr0p0r36p0
NVDarm/midgard_gpu_kernel_driverr26p0r32p0
NVDarm/valhall_gpu_kernel_driverr19p0r36p0

🔴Vulnerability Details

6
Project0
Analyzing a Modern In-the-wild Android Exploit - Project Zero2023-09-01
Project0
Mind the Gap - Project Zero2022-11-01
GHSA
GHSA-fjww-grc5-6wh6: An Arm product family through 2022-01-03 has an Exposed Dangerous Method or Function2022-03-04
VulnCheck
Arm Mali GPU Kernel Driver Unspecified Vulnerability2022
Project0
Project Zero RCA: CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser

📋Vendor Advisories

2
Android
CVE-2022-22706: Mali2023-06-01
CISA
Arm Mali GPU Kernel Driver Unspecified Vulnerability2023-03-30