⚠ Actively exploited

Added to CISA KEV on 2023-10-03. Federal agencies required to patch by 2023-10-24. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-4211 — Use After Free in ARM 5TH GEN GPU Architecture Kernel Driver

CWE-416 — Use After Free CWE-89 — SQL Injection15 documents11 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 58.33%

CISA KEV

KEV

Added 2023-10-03

Due 2023-10-24

Exploit

Exploited in wild

Active exploitation observed

Affected products

ARM 5TH GEN GPU Architecture Kernel Driver ARM Bifrost GPU Kernel Driver ARM Valhall GPU Kernel Driver +9 more

Timeline

PublishedOct 1

KEV addedOct 3

KEV dueOct 24

Latest updateMay 22

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages12 packages

▶Packagistcakephp/cakephp4.2.0 — 4.2.12+2

▶Packagistcakephp/database4.2.0 — 4.2.12+2

▶NVDarm/bifrost_gpu_kernel_driverr0p0 — r43p0

▶NVDarm/valhall_gpu_kernel_driverr19p0 — r43p0

▶NVDarm/5th_gen_gpu_architecture_kernel_driverr41p0 — r43p0

🔴Vulnerability Details

GHSA

GHSA-7537-p54v-mh3v: A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory↗2023-10-01

▶

GHSA

CakePHP Database\\Query::offset() and limit() methods are vulnerable to SQL injection↗2023-01-20

▶

VulnCheck

Arm Mali GPU Kernel Driver Use-After-Free Vulnerability↗2023

▶

Project0

Project Zero RCA: CVE-2023-4211: Use-after-Free in ARM Mali GPU Driver↗

▶

📋Vendor Advisories

CISA

Arm Mali GPU Kernel Driver Use-After-Free Vulnerability↗2023-10-03

▶

Android

CVE-2023-4211: Mali↗2023-10-01

▶

Chrome

Long Term Support Channel Update for ChromeOS: CVE-2023-4211↗2023-08-23

▶

Red Hat

kernel: Arm Mali GPU Kernel Driver Use-After-Free Vulnerability↗2023-08-15

▶

🕵️Threat Intelligence

Bleepingcomputer

December Android updates fix critical zero-click RCE flaw↗2023-12-04

▶

Bleepingcomputer

Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers↗2023-10-03

▶

Bleepingcomputer

Arm warns of Mali GPU flaws likely exploited in targeted attacks↗2023-10-02

▶

💬Community

Bugzilla

CVE-2023-52700 kernel: tipc: fix kernel warning when sending SYN message↗2024-05-22

▶

Bugzilla

CVE-2023-52835 kernel: perf/core: Bail out early if the request AUX area is out of bound↗2024-05-22

▶

Bugzilla

CVE-2023-52560 kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions()↗2024-03-04

▶