Smartphones under the gun, representatives of ARM recommend not to delay the update.
The British company Arm reported a security vulnerability in the core driver of the Mali graphics chip, which is already actively used by attackers. The issue, identified as CVE-2024-4610, is related to memory usage after it is released (Use-After-Free) and affects the following products:
"A local unprivileged user can perform inappropriate GPU memory processing operations by accessing already freed memory," the company said in a statement.
The vulnerability was fixed in version r41p0 of the Bifrost and Valhall GPU kernel driver, released on November 24, 2022. The current driver version, r49p0, was released in April 2024.
Foreign journalists turned to Arm for clarification, whether this vulnerability is old, but received a new CVE identifier, or it was discovered quite recently. The company has not yet received a response.
Arm also confirmed reports of real attacks exploiting this vulnerability, but did not disclose additional details to prevent further abuse.
Previously identified zero-day vulnerabilities in Mali GPU are CVE-2022-22706, CVE-2022-38181 and CVE-2023-4211 — They were used by commercial spyware vendors for targeted attacks on Android devices. One of these attacks is associated with the Italian company Cy4Gate.
Users of affected products are advised to update their drivers to the latest version to protect themselves from potential threats, but this cannot be done manually for mobile devices. It remains only to wait for the official release of fixes from the manufacturer and not to delay the update when it becomes available.
The British company Arm reported a security vulnerability in the core driver of the Mali graphics chip, which is already actively used by attackers. The issue, identified as CVE-2024-4610, is related to memory usage after it is released (Use-After-Free) and affects the following products:
- Bifrost GPU Core Driver (all versions from r34p0 to r40p0);
- Valhall GPU kernel driver (all versions from r34p0 to r40p0).
"A local unprivileged user can perform inappropriate GPU memory processing operations by accessing already freed memory," the company said in a statement.
The vulnerability was fixed in version r41p0 of the Bifrost and Valhall GPU kernel driver, released on November 24, 2022. The current driver version, r49p0, was released in April 2024.
Foreign journalists turned to Arm for clarification, whether this vulnerability is old, but received a new CVE identifier, or it was discovered quite recently. The company has not yet received a response.
Arm also confirmed reports of real attacks exploiting this vulnerability, but did not disclose additional details to prevent further abuse.
Previously identified zero-day vulnerabilities in Mali GPU are CVE-2022-22706, CVE-2022-38181 and CVE-2023-4211 — They were used by commercial spyware vendors for targeted attacks on Android devices. One of these attacks is associated with the Italian company Cy4Gate.
Users of affected products are advised to update their drivers to the latest version to protect themselves from potential threats, but this cannot be done manually for mobile devices. It remains only to wait for the official release of fixes from the manufacturer and not to delay the update when it becomes available.
