British semiconductor giant Arm has warned customers about a memory safety bug in Mali GPU kernel drivers that has been exploited in the wild.
Tracked as CVE-2024-4610, the bug is described as a use-after-free issue that could be exploited by local users to make improper GPU memory processing operations.
Successful exploitation of the flaw allows a non-privileged attacker to access previously freed memory, Arm explains in an advisory.
“Arm is aware of reports of this vulnerability being exploited in the wild,” the company notes.
Use-after-free vulnerabilities typically occur when a program continues to access a memory location even after deallocating it, which allows attackers to leak data or tamper with it, causing the program to crash or achieving arbitrary code execution.
According to Arm, CVE-2024-4610 impacts the Bifrost and Valhall GPU kernel drivers. The bug was introduced in driver version r34p0 and was addressed with the release of Bifrost and Valhall driver version r41p0, in November 2022.
The British company did not share details on the observed exploitation, but urged users to update their devices as soon as possible.
Arm’s Mali GPUs are used in millions of devices, including smartphones, tablets, smart TVs, and various types of embedded systems.
At least two other vulnerabilities in Mali GPUs have been exploited in the wild over the past two years, including CVE-2023-4211, which was addressed in October 2023, and CVE-2022-22706, which was resolved in January 2022.
Some Arm Mali GPU vulnerabilities are known to have been exploited by commercial spyware vendors.
Related: Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones
Related: Nvidia Patches High-Severity GPU Driver Vulnerabilities
Related: AI Data Exposed to ‘LeftoverLocals’ Attack via Vulnerable AMD, Apple, Qualcomm GPUs
