CVE-2021-28663

What is the Arm Mali GPU Kernel Driver?

The Arm Mali GPU powers the graphics subsystem in hundreds of millions of Android smartphones, tablets, and embedded Linux devices. The Mali GPU kernel driver (kbase module) is a kernel-mode component responsible for all communication between user-space GPU applications and the physical GPU hardware. As a kernel-mode component managing hardware-level memory mappings and GPU contexts for all running applications, the Mali driver has a large and complex attack surface. Use-after-free vulnerabilities in Mali's kernel driver allow a non-privileged user-space application to access freed kernel GPU objects, corrupt kernel memory, and escalate from the Android application sandbox to root — enabling complete device compromise.

Overview

CVE-2021-28663 is a use-after-free vulnerability (CWE-416) in the Arm Mali GPU kernel driver (Bifrost and Midgard families) that allows a non-privileged user to make improper operations on GPU memory, gain root privilege, and disclose sensitive information. A malicious application can exploit the UAF to corrupt kernel memory structures and escalate to root — bypassing the Android app sandbox and achieving complete device control. Arm released a fix in driver version r31p0. CISA added this to the KEV catalog in November 2021 — six months after the upstream fix — reflecting confirmed exploitation against Android devices awaiting OEM kernel updates.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in the Mali GPU kernel driver — the driver manages GPU memory objects (contexts, job chains, VA regions) that are shared between the user-space GPU application and the kernel; a race condition or improper lifecycle management allows a GPU memory object to be freed while the driver still holds an active reference, and a subsequent operation through the dangling pointer corrupts kernel memory
• Root escalation: The UAF provides a kernel heap corruption primitive — by controlling the memory that occupies the freed object's address, the attacker can overwrite kernel security structures, redirect kernel execution, and gain root (UID 0 / full kernel) privileges
• Improper GPU memory operations: The description "improper operations on GPU memory" indicates the vulnerability lies in GPU memory mapping or unmapping operations — functions called by user-space GPU applications to allocate and free GPU-accessible memory regions
• Android sandbox escape: Once root is achieved through the Mali kernel driver, the attacker has escaped the Android app sandbox: they can access all installed app data, system files, camera, microphone, location data, and install persistent kernel-level code
• Paired with CVE-2021-28664: CVE-2021-28663 (UAF, CWE-416) and CVE-2021-28664 (OOB write, CWE-787) were both patched in the same May 2021 Arm driver release, and both added to CISA KEV simultaneously — suggesting they were used together or both confirmed in the same exploitation campaigns

Discovery

Reported to Arm and patched in Mali GPU driver r31p0. The November 2021 CISA KEV addition reflects active exploitation in the period between the upstream Arm fix and availability of patched kernels from device manufacturers — a gap of months to years for most Android devices.

Exploitation Context

Arm Mali GPU driver vulnerabilities are a primary exploit chain component for Android kernel privilege escalation. Commercial spyware vendors and nation-state actors targeting Android devices routinely include Mali GPU kernel exploits in their toolkits because: (1) Mali GPU is present in a large fraction of Android devices, (2) the kernel driver code is complex and historically defect-prone, and (3) OEM patching delays keep devices vulnerable for extended periods. CVE-2021-28663 was added to CISA KEV in November 2021 alongside CVE-2021-28664 — the simultaneous addition of paired Mali vulnerabilities suggests they were identified in exploitation chains used against specific targeted devices or populations.

Remediation

1. Install the latest Android security updates from your device manufacturer — Samsung, Google, and other OEMs include Mali GPU driver patches in their security bulletins
2. Apply updates promptly: many Android OEMs release monthly security updates; check Settings → System → System Update
3. Verify the Android Security Patch Level: Settings → About Phone → Android Security Patch Level; compare against the month of CVE-2021-28663's KEV addition (November 2021)
4. Devices that no longer receive manufacturer updates are permanently exposed — consider replacement with a supported device
5. Avoid installing untrusted applications (APKs) outside of official app stores; Mali GPU kernel exploits require initial code execution via a malicious app or browser exploit
6. Google Pixel devices and devices running GrapheneOS receive faster security patches due to direct integration of upstream kernel fixes