CVE-2022-22706
published 2022-03-03CVE-2022-22706: Arm Mali GPU Kernel Driver allows a non-privileged user to achieve write access to read-only memory pages. This affects Midgard r26p0 through r31p0, Bifrost…
PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-04-20
Exploited in the wild
EPSS
1.22%
64.8th percentile
Arm Mali GPU Kernel Driver allows a non-privileged user to achieve write access to read-only memory pages. This affects Midgard r26p0 through r31p0, Bifrost r0p0 through r35p0, and Valhall r19p0 through r35p0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arm | bifrost_gpu_kernel_driver | >= r0p0 < r36p0 | r36p0 |
| arm | midgard_gpu_kernel_driver | >= r26p0 < r32p0 | r32p0 |
| arm | valhall_gpu_kernel_driver | >= r19p0 < r36p0 | r36p0 |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability affects Arm Mali GPU Kernel Driver (Midgard r26p0–r31p0, Bifrost r0p0–r35p0, Valhall r19p0–r35p0); monitor for non-privileged processes gaining write access to read-only memory pages via the Mali GPU driver ↗
- →CVE-2022-22706 is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active in-the-wild exploitation; prioritize detection on Android devices running affected Mali GPU driver versions ↗
- →Android Security Bulletin (2023-06-01) tracks this as a HIGH severity issue in the Mali component; use Android reference A-225040268 to cross-reference patch status on managed Android devices ↗
- ·Affected driver version ranges are broad; confirm exact installed Mali GPU driver version (Midgard r26p0–r31p0, Bifrost r0p0–r35p0, Valhall r19p0–r35p0) before applying detections to avoid false positives on patched versions ↗
- ·The vulnerability mechanism is described as 'unspecified' in public advisories; no technical write-up or PoC details are available from these sources, limiting precision of behavioral detections ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
Analyzing a Modern In-the-wild Android Exploit - Project Zero
project_zero·2023-09-01·CVSS 7.8
CVE-2022-22706 [HIGH] Analyzing a Modern In-the-wild Android Exploit - Project Zero
By Seth Jenkins, Project Zero
## Introduction
In December 2022, Google’s Threat Analysis Group (TAG) discovered an in-the-wild exploit chain targeting Samsung Android devices. TAG’s blog post covers the targeting and the actor behind the campaign. This is a technical analysis of the final stage of one of the exploit chains, specifically CVE-2023-0266 (a 0-day in the ALSA compatibility layer) and CVE-2023-26083 (a 0-day in the Mali GPU driver) as well as the techniques used by the attacker to gain kernel arbitrary read/write access.
Notably, several of the previous stages of the exploit chain used n-day vulnerabilities:
-
CVE-2022-4262, a 0-day vulnerability in Chrome was exploited in the Samsung browser to achieve RCE.
-
CVE-2022-3038, a Chrome n-day that unpatched in the Samsung
Project0
Mind the Gap - Project Zero
project_zero·2022-11-01·CVSS 7.8
CVE-2021-39793 [HIGH] Mind the Gap - Project Zero
By Ian Beer, Project Zero
Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but at the time of publication, these fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo and others). Devices with a Mali GPU are currently vulnerable.
## Introduction
In June 2022, Project Zero researcher Maddie Stone gave a talk at FirstCon22 titled 0-day In-the-Wild Exploitation in 2022…so far. A key takeaway was that approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities. This finding is consistent with our understanding of attacker behavior: attackers will take the path of least resistance, and as long as vendors don't consistently
GHSA
GHSA-fjww-grc5-6wh6: An Arm product family through 2022-01-03 has an Exposed Dangerous Method or Function
ghsa_unreviewed·2022-03-04
CVE-2022-22706 [HIGH] CWE-119 GHSA-fjww-grc5-6wh6: An Arm product family through 2022-01-03 has an Exposed Dangerous Method or Function
An Arm product family through 2022-01-03 has an Exposed Dangerous Method or Function.
VulnCheck
Arm Mali GPU Kernel Driver Unspecified Vulnerability
vulncheck·2022·CVSS 7.8
CVE-2022-22706 [HIGH] CWE-119 Arm Mali GPU Kernel Driver Unspecified Vulnerability
Arm Mali GPU Kernel Driver Unspecified Vulnerability
Arm Mali GPU Kernel Driver contains an unspecified vulnerability that allows a non-privileged user to achieve write access to read-only memory pages.
Affected: Arm Mali Graphics Processing Unit (GPU)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities; https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html
Remediation Due: 2023-04-20
Project0
Project Zero RCA: CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser
project_zero·CVSS 8.8
CVE-2022-4262 [HIGH] Project Zero RCA: CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser
# CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser
*Samuel Groß, V8 Security*
## The Basics
**Disclosure or Patch Date:** 2 December 2022
**Product:** Google Chrome
**Advisory:** https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html
**Affected Versions:** 108.0.5359.71 and previous
**First Patched Version:** 108.0.5359.94
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1394403
**Patch CL:** https://chromium.googlesource.com/v8/v8/+/27fa951ae4a3801126e84bc94d5c82dd2370d18b
**Bug-Introducing CL:** N/A
**Reporter(s):** Clement Lecigne of Google's Threat Analysis Group
## The Code
**Proof-of-concept:**
```javascript
let alloc = function() {
let tt = new ArrayBuffer(31 * 1024 * 1024 * 1024);
tt = new ArrayBu
Project0
Project Zero RCA: CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
project_zero·CVSS 8.8
CVE-2021-39793 [HIGH] Project Zero RCA: CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
# CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
*Jann Horn*
## The Basics
**Disclosure or Patch Date:** March 7, 2022
**Product:** Arm Mali GPU driver for Linux/Android
**Advisory:**
- from Arm (upstream): https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
- from Google Pixel: https://source.android.com/security/bulletin/pixel/2022-03-01#pixel
**Affected Versions:** see Arm advisory (note that the affected version range
for the Bifrost version of the related CVE-2021-28664 seems to be off-by-one)
**First Patched Version:**
- for Arm: see Arm advisory
- for Pixel: patch level 2022-03-05
**Issue/Bug Report:** N/A
**Patch CL:** https://android.googlesource.com/kernel/google-modules/gpu/+/5381ff7b410
Android
CVE-2022-22706: Mali
vendor_android·2023-06-01·CVSS 7.8
CVE-2022-22706 [HIGH] CVE-2022-22706: Mali
Android Security Bulletin 2023-06-01
CVE: CVE-2022-22706
Severity: HIGH
Component: Mali
References: A-225040268
*
CISA
Arm Mali GPU Kernel Driver Unspecified Vulnerability
cisa·2023-03-30·CVSS 7.8
CVE-2022-22706 [HIGH] CWE-119 Arm Mali GPU Kernel Driver Unspecified Vulnerability
Vulnerability: Arm Mali GPU Kernel Driver Unspecified Vulnerability
Affected: Arm Mali Graphics Processing Unit (GPU)
Arm Mali GPU Kernel Driver contains an unspecified vulnerability that allows a non-privileged user to achieve write access to read-only memory pages.
Required Action: Apply updates per vendor instructions.
Notes: https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities; https://nvd.nist.gov/vuln/detail/CVE-2022-22706
Remediation Due Date: 2023-04-20
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://developer.arm.com/support/arm-security-updateshttps://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driverhttps://developer.arm.com/support/arm-security-updateshttps://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driverhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22706
2022-03-03
Published
2023-03-30
Added to CISA KEV
Exploited in the wild