Arm Warns of Mali GPU Vulnerabilities Under "Limited, Targeted Exploitation"
Users of supported hardware should update their drivers now, while end-of-life Midgard users need to contact Arm support.
Arm has warned of a bundle of recently-discovered security vulnerabilities in its Mali graphics processing unit (GPU) drivers, which can lead to unauthorized memory access — and that, the company says, "may be under limited, targeted exploitation" in the wild.
Developed in 2005 as a product of Norwegian University of Science and Technology spin-off Falanx Microsystems, the Mali graphics processor technology was acquired by Arm in 2006 and has been at the heart of the company's embedded graphics offerings ever since. The latest generation, code-named Valhall, launched in June last year, offering the family's first support for hardware-accelerated ray tracing — and a fifth-generation, with a 15 per cent performance uplift, was announced back in May this year.
Those with Mali hardware in their projects, however, are warned of a trio of vulnerabilities affecting the Midgard, Bifrost, Valhall, and unnamed fifth-generation parts — under "limited, targeted exploitation" by ne'er-do-wells in the wild, the company says.
The vulnerabilities require an attack to have existing access to an unprivileged account on the target system, with the broadest of the three allowing for the use of what Arm describes as "improper GPU memory processing operations" to gain access to already-freed memory. Another, which only affects Bifrost, Valhall, and fifth-generation GPUs allows for a race condition which, again, provides access to already-freed memory. Finally, the third vulnerability affects only the Valhall and fifth-generation parts and offers, again, a race condition for memory access.
With Arm warning of active, though limited, exploitation in the wild, developers using Mali IP are advised to upgrade to the latest drivers available in order to resolve the vulnerabilities — though this is complicated by the end of official support for the Midgard GPU range, with Arm advising those affected to "contact Arm support" for more information.
Full details of the vulnerabilities are available on the Arm Developer site.