Android security update fixes Mali GPU bug exploited as zero-day
Google has released the monthly security update for the Android platform, adding fixes for 56 vulnerabilities, five of them with a critical severity rating and one exploited since at least last December.
The new security patch level 2023-06-05 integrates a patch for CVE-2022-22706, a high-severity flaw in the Mali GPU kernel driver from Arm that Google’s Threat Analysis Group (TAG) believes it may have been used in a spyware campaign targeting Samsung phones.
“There are indications that CVE-2022-22706 may be under limited, targeted exploitation,” reads Google’s latest bulletin. CISA also highlighted the active exploitation of CVE-2022-22706 in an advisory released in late March.
With a score of 7.8 out of 10, the high-severity security issue allows non-privileged users to get write access to read-only memory pages.
According to Arm, the issue impacts the following kernel driver versions:
- Midgard GPU Kernel Driver: All versions from r26p0 – r31p0
- Bifrost GPU Kernel Driver: All versions from r0p0 – r35p0
- Valhall GPU Kernel Driver: All versions from r19p0 – r35p0
Arm fixed the issue in Bifrost and Valhall GPU Kernel Driver r36p0 and in Midgard Kernel Driver r32p0, but the fix trickled into the stable version of Android only now.
It is worth noting that Samsung addressed CVE-2022-22706 in its May 2023 update. The company’s quick response to the active exploitation of the flaw is likely due to its users being explicitly targeted by the spyware campaign.
The critical-severity flaws fixed in this month’s Android update include:
- CVE-2023-21127 – Remote code execution flaw in Android Framework, impacting Android 11, 12, and 13. Fixed in security patch level “2023-06-01.”
- CVE-2023-21108 – Remote code execution flaw in Android System, impacting Android 11, 12, and 13. Fixed in security patch level “2023-06-01.”
- CVE-2023-21130 – Remote code execution flaw in Android System, impacting Android 13. Fixed in security patch level “2023-06-01.”
- CVE-2022-33257 – Critical flaw of an undefined type, impacting Qualcomm closed-source components. Fixed in security patch level “2023-06-05.”
- CVE-2022-40529 – Critical flaw of an undefined type, impacting Qualcomm closed-source components. Fixed in security patch level “2023-06-05.”
Devices running Android 10 or older are no longer supported and will not receive this security update.
Users of outdated devices should be aware of the risk of a potential impact. They should either switch to a newer, actively supported Android model or turn to a third-party Android distribution that still provides security fixes, even if these typically come with a delay.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.