Some Phone Manufacturers Didn't Implement Vital Security Patch for ARM Mali GPU, Google Researchers Find

Security researchers have discovered that some manufacturers have yet to implement an important vulnerability patch made available by the upstream vendor, affecting numerous Android devices from some of the largest companies in the mobile space, including Google.

One of the biggest problems in the cybersecurity space is the implementation of patches, or more precisely, the failure to implement them. When a security issue is found, developers must patch it quickly and release the changes downstream so everyone can deploy them. In practice, some of these patches reach consumers very late, if ever.

Researchers from Google's Project Zero found many companies that used Arm Holding's Mali GPU in their devices have yet to implement a patch made available by the firm.

"We reported these five issues to ARM when they were discovered between June and July 2022. ARM fixed the issues promptly in July and August 2022, disclosing them as security issues on their Arm Mali Driver Vulnerabilities page (assigning CVE-2022-36449) and publishing the patched driver source on their public developer website," explained the researchers.

They waited 30 more days before de-restricting Project Zero tracker entries, giving companies time to implement the patches.

"In this case we discovered that all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins," the researchers added. According to their post, the vulnerability affects Pixel, Samsung, Xiaomi, Oppo and many other devices running the same hardware and drivers.

Researchers also added a “fun” fact. One of the vulnerabilities found in the 0-day for Android devices is likely tied to the Mali exploit, which should make companies hurry up with patch deployment.