June 10, 2024 at 06:56PM
Arm has issued a security bulletin regarding a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers, known as CVE-2024-4610, impacting versions r34p0 through r40p0. This use-after-free vulnerability (UAF) poses a risk of information disclosure and arbitrary code execution. The issue has been fixed in version r41p0, with users urged to upgrade due to reported exploitation in the wild. Supply chain complexities may lead to delayed driver patches reaching end users. Devices using Bifrost-based Mali GPUs and Valhall GPUs may be impacted and may no longer receive security updates.
Based on the meeting notes, a security bulletin has been issued by Arm warning of a use-after-free vulnerability (CVE-2024-4610) in Bifrost and Valhall GPU kernel drivers. This vulnerability impacts all versions of Bifrost and Valhall drivers from r34p0 through r40p0 and can lead to information disclosure and arbitrary code execution. Arm has released a fix for this vulnerability in version r41p0, which was launched on November 24, 2022. The latest version of the drivers is currently r49p0.
It is reported that this vulnerability is being actively exploited in the wild and Arm recommends all impacted users to upgrade. However, due to the complex supply chain for Android, end users may experience significant delays in receiving patched drivers. Additionally, device manufacturers need to integrate the security update into their firmware, and carriers may also need to approve it. It is noted that some older devices may no longer be supported with security updates.
The impacted Bifrost-based Mali GPUs are used in smartphones/tablets, single-board computers, Chromebooks, and various embedded systems. Similarly, Valhall GPUs are present in high-end smartphones/tablets, automotive infotainment systems, and high-performance smart TVs. Some device makers may choose to prioritize newer devices and discontinue support for older ones.