It turns out that the first “all Google” phone includes a non-Google bug. Learn about the details of CVE-2022-38181, a vulnerability in the Arm Mali GPU.
In this post, security researcher ‘Man Yue Mo’ shares the details of CVE-2022-38181, a vulnerability in the Arm Mali GPU that he reported to the Android security team on 2022-07-12 along with a proof-of-concept exploit that used this vulnerability to gain arbitrary kernel code execution and root privileges on a Pixel 6 from an Android app.
The bug was assigned bug ID 238770628. After initially rating it as a High-severity vulnerability, the Android security team later decided to reclassify it as a “Won’t fix” and they passed my report to Arm’s security team.
The Arm security team quickly fixed the bug and released a public patch in version r40p0 of the driver on 2022-10-07 to address the issue.
However, The android security team silently fixed the bug in the January update on the Pixel devices without crediting the researcher.
This post was created with our nice and easy submission form. Create your post!