Google’s Project Zero discloses five zero-day vulnerabilities

Project Zero researcher Jann Horn discovered five exploitable vulnerabilities in the ARM Mali GPU driver between June and July this year. One of the security flaws can lead to kernel memory corruption while another can disclose physical memory addresses to userspace. The remaining three lead to a physical page use-after-free condition. These flaws would “enable an attacker to continue to read and write physical pages after they had been returned to the system,” Ian Beer of Project Zero explains. “An attacker with native code execution in an app context could gain full access to the system, bypassing Android’s permissions model and allowing broad access to user data.” Google’s security team promptly reported these flaws to ARM. The semiconductor firm was also quick to fix the issues. The company assigned CVE-2022-36449 to the flaws and published the patch source on its developer website. To give OEMs time to roll out the patch to the affected devices, Google didn’t publicly disclose the vulnerabilities. After 30 days of waiting, it published the vulnerabilities on the public Project Zero tracker between late August and mid-September. Unfortunately, even after almost four months of ARM releasing the patch, no Android manufacturer has seeded it to their affected devices. Project Zero reports that CVE-2022-36449 doesn’t feature in any downstream security bulletins as of Tuesday, November 22. The researchers urge companies to remain vigilant and follow upstream sources closely to provide patches to users as soon as possible. “Minimizing the patch gap as a vendor in these scenarios is arguably more important,” Beer writes.

Google is still testing ARM’s patch

Google says it is testing ARM’s patch and plans to roll it out soon, possibly with the December Android security update. It will be mandatory for all OEM partners. “The fix provided by ARM is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks,” a Google spokesperson told Engadget. “Android OEM partners will be required to take the patch to comply with future SPL requirements”. We will keep a close eye on this and will let you know when we have more information.