cbcvebase.
CVE-2022-46395
published 2023-03-06

CVE-2022-46395: An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privileged user can make improper GPU processing operations to gain access to already freed…

PriorityP352high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.68%
83.9th percentile
An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Midgard r0p0 through r32p0, Bifrost r0p0 through r41p0 before r42p0, Valhall r19p0 through r41p0 before r42p0, and Avalon r41p0 before r42p0.

Affected

5 ranges
VendorProductVersion rangeFixed in
armavalon_gpu_kernel_driver
armbifrost_gpu_kernel_driverr0p0 – r41p0
armmidgard_gpu_kernel_driverr0p0 – r32p0
armvalhall_gpu_kernel_driverr19p0 – r41p0
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability affects Arm Mali GPU Kernel Driver across multiple GPU families: Midgard r0p0 through r32p0, Bifrost r0p0 through r41p0 (before r42p0), Valhall r19p0 through r41p0 (before r42p0), and Avalon r41p0 (before r42p0). Detection should focus on identifying vulnerable driver versions on Android devices.
  • The exploit primitive is improper GPU processing operations by a non-privileged user leading to use-after-free (UAF) on already freed GPU memory. Monitor for anomalous GPU kernel driver calls from unprivileged processes.
  • Android Security Bulletin (2023-05-01) tracks this as HIGH severity under the Mali component with Android bug reference A-267357916. Use this reference to cross-check patch status on Android devices.
  • ·Midgard GPU family (r0p0 through r32p0) has no patch available via r42p0 — the fixed version boundary (r42p0) only applies to Bifrost, Valhall, and Avalon. Midgard devices may remain permanently vulnerable unless a vendor-specific patch is issued.
  • ·The Android Security Bulletin entry is marked with an asterisk (*), which typically indicates the patch has not been made publicly available by the upstream vendor at time of publication. Verify patch availability directly with device OEMs.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.