Google and other OEMs have yet to patch a critical Android security flaw

News
By Nickolas Diaz
published

This flaw affects countless Mali GPU phones.

The Google logo on the Google Pixel 7's display
(Image credit: Nicholas Sutrich / Android Central)

What you need to know

  • Google's Project Zero team details a critical security flaw affecting a number of devices containing a Mali GPU.
  • The issue would allow a hacker complete control over an Android device's system, bypassing permissions, and accessing user data.
  • This issue affects Google, Samsung, Xiaomi, and OPPO devices containing a Mali GPU.

Google has detailed a critical security flaw for phones containing a Mali GPU that has yet to be properly addressed.

Google's Project Zero team posted on its official blog details on what this issue is and why it is so important that a fix for it comes out immediately. The critical security issue, CVE-2022-33917, affects devices containing ARM's Mali GPU. The report lists users of devices from Google, Samsung, Xiaomi, and OPPO with a Mali GPU are at risk of this critical unpatched security flaw.

Researchers found five separate issues between June and July with one that dealt with "kernel corruption." Another issue, as Project Zero informs, would lead to "physical memory addresses being disclosed to userspace." The remaining three issues of the five would "lead to a physical page use-after-free condition."

Simply put, Project Zero makes it clear that these issues would allow an attack complete access to a phone's system and bypass the Android device's permissions system so they could then access broader user data.

Project Zero explains that these issues were brought up with ARM and it did release a patch quite swiftly during July and August to address this crucial issue. However, as additional tests were conducted to determine the effectiveness of the patch, it was found that this security issue still persists even with the supposed fixes.

Google is hoping to narrow down the "patch gap" with companies to find and address issues. The end result would be companies creating the proper patches and sending them out to affected users quicker, solving any critical problems such as the one currently faced.

A Google spokesperson has informed Engadget about its next steps to address the issues stating, "The fix provided by ARM is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements."

Android Central has contacted Samsung about when it will address the issues but has not received word back in time for publication.

Nickolas Diaz
Nickolas Diaz
News Writer

Nickolas is always excited about tech and getting his hands on it. Writing for him can vary from delivering the latest tech story to scribbling in his journal. When Nickolas isn't hitting a story, he's often grinding away at a game or chilling with a book in his hand.