Google’s Project Zero team is on the front lines of digital security, analyzing code, reporting bugs, and generally making the internet safer. However, not every vulnerability gets fixed in a timely manner. A recent batch of serious flaws in Arm’s Mali GPU were reported by Project Zero and fixed by the manufacturer. However, smartphone vendors never implemented the patches, among them Google itself. So, that’s a little embarrassing.
The story starts in June 2022 when Project Zero researcher Maddie Stone gave a presentation on zero-day exploits — known vulnerabilities for which there is no available patch. The talk used a vulnerability identified as CVE-2021-39793 and the Pixel 6 as an example. This flaw allowed apps to access read-only memory pages, which can leak personal data. Following this, researcher Jann Horn started looking more closely at ARM Mali GPU code, finding five more vulnerabilities that could allow an attacker to bypass Android’s permission model and take control of the system.
Some of these issues were allegedly available for sale on hacking forums, making them especially important to patch. Project Zero reported the issues to ARM, which followed up with source code patches for vendors to implement. Project Zero waited another 30 days to disclose the flaws, which it did in August and mid-September 2022. Usually, this would be the end of the story, but Project Zero occasionally circles back to assess the functionality of fixes. In this case, the team found a “patch gap.”
Although ARM released the patches over the summer, vendors hadn’t integrated them into their regular Android updates. The issues affect numerous devices that run a system-on-a-chip featuring a Mali GPU, including Android phones from Samsung, Xiaomi, Oppo, and Google. Snapdragon chips are spared as they use Qualcomm’s own Adreno GPU. So, Samsung phones in North America are safe, but those sold internationally with Exynos chips are at risk.
In past years, this might not have affected Google, but the company switched from Qualcomm to the custom Tensor chips for Pixel phones in 2021. Tensor uses a Mali GPU, so Google’s security team found flaws that the Pixel team failed to add to the regular software updates. Google is not alone in making this mistake, but it’s still not a great look. Google now says that the Mali patches will be added to Pixel phones “in the coming weeks.” Other vendors haven’t offered a timetable yet.