Arm has credited the discovery of active exploitations to Maddie Stone of Google’s Threat Analysis Group and Jann Horn of Google Project Zero.
Google Pixel devices and Chromebooks — most affected by the vulnerability — were both separately patched by Google in September.
Patches now available for most affected versions
Arm’s Mali line of GPUs runs on a host of devices including mobile devices, smart TVs, automotive infotainment systems, wearable devices, embedded systems, IoT devices, development boards, and gaming consoles. The GPUs run a range of kernel driver versions across all these devices.
The vulnerability affects four different versions of the drivers including Midgard GPU Kernel Driver (from version r12p0 – r32p0), Bifrost GPU Kernel Driver (from version r0p0 – r42p0), Valhall GPU Kernel Driver (from version r19p0 – r42p0), and Arm 5th Gen GPU Architecture Kernel Driver (from version r41p0 – r42p0).
Patches are available now for three out of the four affected versions. “This issue is fixed in Bifrost, Valhall, and Arm 5th Gen GPU Architecture Kernel Driver r43p0,” Arm said. “Users are recommended to upgrade if they are impacted by this issue.” Arm also advised support for Midgard GPUs on contact. Two other patches informed in the advisory included those for CVE-2023-33200, and CVE-2023-34970, both of which allow similar exploitations in the Valhall and Arm 5th Gen versions of the GPU.