Last updated: November 24th, 2022 at 15:04 UTC+01:00
Millions of Samsung phones powered by Exynos, or more specifically, Exynos chipsets with Mali GPUs (of which there are many), are currently vulnerable to several security exploits. One can lead to kernel memory corruption, another to physical memory addresses being disclosed, and three other vulnerabilities can lead to a physical page us-after-free condition.
In essence, these vulnerabilities could allow an attacker to continue to read and write physical pages after they had been returned to the system. Or in other words, an attacker with native code execution in an app could gain full access to the system and bypass the permission model in Android OS. (through Google Project Zero)
ARM fixed the issue, but smartphone manufacturers have not
These security flaws discovered by Project Zero were brought to ARM’s attention in June and July. ARM fixed these Mali-related security flaws a month later, but as of this writing, no smartphone vendors have applied security patches to address these vulnerabilities.
The Mali GPU from ARM can be found in smartphones across different brands, including Samsung, Xiaomi, and Oppo. In fact, the exploit was originally discovered as it was targeting the Pixel 6. Google hasn’t patched this vulnerability either, despite Project Zero’s efforts to bring the problem to light.
This vulnerability doesn’t concern Samsung devices powered by Snapdragon or the Galaxy S22 series. Yes, the latter has an Exynos chipset in some markets, but it uses an Xclipse 920 graphics chip rather than a Mali GPU.