CVE-2021-28664

What is the Arm Mali GPU Kernel Driver?

The Arm Mali GPU kernel driver is the kernel-mode interface between Android applications and Mali GPU hardware in a large fraction of Android smartphones and tablets, particularly those using Samsung Exynos, MediaTek, and other Mali-based SoCs. GPU kernel drivers handle sensitive operations: managing GPU memory mappings, scheduling GPU workloads, and controlling hardware-level memory access permissions. Memory safety vulnerabilities in GPU kernel drivers can allow an unprivileged app to violate kernel memory protection — writing to regions marked read-only, corrupting other processes' memory, and ultimately escalating to root privileges. These vulnerabilities are of particular interest to commercial spyware developers and state-sponsored actors targeting Android devices.

Overview

CVE-2021-28664 is a memory safety vulnerability (CWE-787) in the Arm Mali GPU kernel driver affecting Bifrost and Midgard GPU families. A non-privileged user can exploit the flaw to gain write access to read-only kernel memory, gain root privilege, corrupt memory, and modify the memory of other processes. The attack impacts kernel integrity — memory that should be write-protected can be modified, enabling kernel code execution and complete device compromise. Arm patched this in driver r31p0. CISA added it to the KEV catalog in November 2021 alongside the companion vulnerability CVE-2021-28663. Both vulnerabilities affect the same Mali GPU driver release and were confirmed exploited in the same timeframe.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in the Mali GPU kernel driver — the driver performs a memory write beyond the intended bounds of an allocated buffer; the write reaches adjacent kernel memory including regions that should be write-protected (read-only)
• Read-only memory write: The ability to write to kernel read-only memory is a severe primitive — read-only kernel sections typically include code pages, security constants, and hardware-enforced access control tables; writing to these allows overwriting kernel code or security structures
• Root privilege and memory of other processes: Achieving write access to arbitrary kernel memory locations enables: overwriting process credentials (UID = 0 → root), modifying page table entries (to access any physical memory), and reading or modifying the memory contents of all other running processes
• Paired with CVE-2021-28663: Both CVE-2021-28664 (OOB write, CWE-787) and CVE-2021-28663 (UAF, CWE-416) were patched in the same r31p0 release and added to CISA KEV simultaneously — exploitation campaigns likely use both bugs for robustness or as a combined chain
• Android kernel protections bypassed: Modern Android kernels use kernel address space layout randomization (KASLR) and kernel page table isolation; Mali driver bugs that provide write primitives are used to defeat these mitigations and achieve reliable kernel code execution

Discovery

Identified and reported to Arm; patched in Mali GPU driver r31p0, released alongside the CVE-2021-28663 fix. The November 2021 CISA KEV addition reflects exploitation of pre-r31p0 Mali driver versions on Android devices where OEM kernel updates incorporating the fix had not been released or applied.

Exploitation Context

CVE-2021-28664 and CVE-2021-28663 represent a common pattern in Android kernel exploitation: multiple driver vulnerabilities patched in the same release cycle, used together to provide reliable kernel privilege escalation across a range of Android versions and device configurations. Commercial spyware firms and nation-state actors targeting Android maintain exploit libraries with multiple Mali GPU driver bugs — if one exploit fails due to OS version or kernel hardening, another is available. The November 2021 CISA KEV additions for both Mali CVEs reflect confirmed exploitation activity, likely targeting specific device populations or individuals of interest to sophisticated threat actors.

Remediation

1. Apply Android security updates from your device manufacturer — OEM security bulletins incorporate Mali GPU driver patches when available
2. Verify your Android Security Patch Level (Settings → About Phone → Android Security Patch Level) and ensure it is no older than November 2021
3. Devices without ongoing security updates should be replaced with supported models; the Mali driver patching pipeline requires ongoing OEM updates
4. Limit app installation to trusted sources (Google Play Store with Play Protect enabled); initial code execution via a malicious app is required before kernel exploitation
5. For high-risk individuals: Google Pixel devices with GrapheneOS or the latest Pixel software provide the fastest access to upstream Arm driver patches
6. Monitor for anomalous device behavior that may indicate kernel-level compromise: unexpected battery drain, unusual network connections, unknown apps with device admin privileges