cbcvebase.
CVE-2023-26083
published 2023-04-06

CVE-2023-26083: Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 - r32p0, Bifrost GPU Kernel Driver all versions from…

PriorityP274low3.3CVSS 3.1
AVLACLPRLUINSUCLINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-04-28
Exploited in the wild
EPSS
1.42%
69.4th percentile
Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 - r32p0, Bifrost GPU Kernel Driver all versions from r0p0 - r42p0, Valhall GPU Kernel Driver all versions from r19p0 - r42p0, and Avalon GPU Kernel Driver all versions from r41p0 - r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.

Affected

6 ranges
VendorProductVersion rangeFixed in
arm5th_gen_gpu_architecture_kernel_driver>= r41p0 < r43p0r43p0
armbifrost_gpu_kernel_driver>= r0p0 < r43p0r43p0
armmidgard_gpu_kernel_driverr6p0 – r32p0
armvalhall_gpu_kernel_driver>= r19p0 < r43p0r43p0
googleandroid
googlechrome_chrome

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability affects Arm Mali GPU Kernel Driver (Midgard, Bifrost, Valhall, Avalon families); detection should focus on non-privileged processes making anomalous GPU processing operations that may expose kernel metadata
  • Android Security Bulletin classifies this as a Mali component vulnerability (A-272073598); patch status can be verified against the 2023-07-01 Android Security Bulletin
  • CVE-2023-26083 is listed in CISA KEV, indicating confirmed in-the-wild exploitation; prioritize detection and patching on Android/ChromeOS devices using affected Arm Mali GPUs
  • ChromeOS LTS channel was patched in April 2023 in relation to this CVE; monitor ChromeOS device fleet for unpatched LTS builds
  • ·Affected driver version ranges are broad; Midgard r6p0–r32p0, Bifrost r0p0–r42p0, Valhall r19p0–r42p0, Avalon r41p0–r42p0 are all vulnerable. Ensure version identification covers all four GPU families before concluding a device is unaffected.
  • ·The Android Security Bulletin entry is marked with an asterisk (*) on the reference A-272073598, which typically indicates the patch is not publicly available via AOSP; patching depends on OEM/vendor driver updates rather than standard AOSP patch application.

CVSS provenance

nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vulncheck3.3LOW
cisa3.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.