Googleâ€™s Project Zero this week highlighted the â€œgapâ€ in getting security patches out the door and to affected users, and in doing so also revealed that millions of Android phones are at risk of an active security vulnerability.
The specific issue that Googleâ€™s Project Zero is highlighting this week is a security vulnerability known as CVE-2022-33917. Itâ€™s a vulnerability that affects devices using Armâ€™s Mali GPU, which means it affects Google Pixel, Samsung Galaxy, and countless other Android smartphones.
If exploited, it would allow an attacker to â€œread and write physical pages after they had been returned to the system,â€ potentially gaining â€œbroad accessâ€ to a userâ€™s data.
Arm apparently fixed these issues for its Mali GPUs a while back, after they were first discovered in June and July. But several months later, Project Zero found that many Android devices from Samsung, Oppo, Xiaomi, and even Googleâ€™s own Pixel lineup have yet to implement these fixes, leaving the vulnerability open.
We reported these five issues to ARM when they were discovered between June and July 2022. ARM fixed the issues promptly in July and August 2022, disclosing them as security issues on theirÂ Arm Mali Driver VulnerabilitiesÂ page (assigningÂ CVE-2022-36449) and publishing theÂ patched driver source on their public developer website.
â€¦we discovered that all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins.
Itâ€™s worth noting that this doesnâ€™t apply to devices using Qualcomm Snapdragon chips, as those do not use Armâ€™s Mali GPU. However, devices using MediaTek chips, Samsung Exynos, as well as Google Tensor are affected.
More on Android:
- Gmail for Androidâ€™s bottom bar is now appearing more often
- Samsung boasts speedy Android 13 rollout, wants Android 14 to be even faster
- Google Voice is one of the first apps adding support for Androidâ€™s new image picker
The post Google says a months-old security vulnerability still hasn’t been patched on Pixel, Samsung first appeared on 9to5google.com