CVE-2021-29256

What is the Arm Mali GPU Kernel Driver?

The Arm Mali GPU is a graphics processor used in hundreds of millions of Android devices, including flagship smartphones from Samsung (Exynos chipsets), Google Pixel devices, Huawei, MediaTek-powered devices, and others. The Mali GPU kernel driver (kbase) is a kernel-mode component that manages communication between user-space applications and the Mali GPU hardware. Because it runs in kernel space with direct hardware access, use-after-free vulnerabilities in the Mali driver allow applications to corrupt kernel memory and escalate from an unprivileged app to root — breaking Android's application sandbox and achieving complete device control. The Android kernel driver supply chain (where Arm releases driver fixes that device manufacturers must incorporate into their own kernel builds and then push to devices) creates significant delays between Arm's upstream fixes and availability to end users.

Overview

CVE-2021-29256 is a use-after-free vulnerability (CWE-416) in the Arm Mali GPU kernel driver that allows a non-privileged user or application to gain root privilege and potentially disclose sensitive information. The vulnerability affects Bifrost and Midgard GPU driver versions before r32p0. A malicious app can trigger the UAF in the GPU kernel driver to corrupt kernel memory and escalate to root, breaking the Android app sandbox. CISA added this to the KEV catalog in July 2023 — over two years after the initial patch — reflecting confirmed exploitation against Android devices running unfixed kernel builds.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in the Mali GPU kernel driver — the kernel-mode driver frees a GPU memory object while maintaining active references; subsequent access through the dangling pointer corrupts kernel memory structures
• Kernel privilege escalation: Exploiting the UAF achieves arbitrary kernel memory read/write, enabling the attacker to overwrite security-critical kernel data structures (such as process credentials) and escalate to root
• Android sandbox escape: Root privilege on Android allows bypassing the app sandbox — reading data from all other installed apps, accessing protected system files, disabling security mechanisms, and installing persistent kernel-level malware
• CVSS note: The AV:N rating in the NVD CVSS vector is atypical for a kernel driver UAF; in practice this vulnerability requires local execution of a malicious application (AV:L) — the network attack vector likely reflects that an Android app can be delivered via the network (e.g., sideloaded APK or exploited via a browser renderer) before triggering the local kernel UAF
• OEM patching delay: Arm releases upstream driver fixes that Android device manufacturers (Samsung, MediaTek, etc.) must incorporate into device-specific kernel builds, test, and deploy via OTA updates — this pipeline creates months to years of delay between Arm's fix and actual device remediation

Discovery

Identified and reported to Arm. Arm released the driver fix in Mali driver r32p0. The July 2023 CISA KEV addition — 26 months after the patch — reflects exploitation of this Mali GPU driver vulnerability against Android devices that had not received driver updates from their OEMs.

Exploitation Context

Arm Mali GPU driver vulnerabilities have become a significant attack surface for Android exploit chains. Threat actors targeting Android devices — particularly commercial spyware vendors and state-sponsored actors — use Mali GPU driver UAF vulnerabilities as kernel escalation steps after achieving initial code execution via a browser or app vulnerability. The long gap between Arm's driver release and device manufacturer OTA updates (sometimes never, for older devices) creates a persistent window of exploitation. The July 2023 CISA KEV addition highlights that Android devices running Samsung Exynos, Google Pixel, or MediaTek SoCs with unfixed Mali driver builds remain vulnerable years after the upstream fix.

Remediation

1. Apply the latest Android security updates from your device manufacturer — Android security bulletins include Mali GPU driver fixes when available from Arm
2. Verify which Android Security Patch Level your device is running: Settings → About Phone → Android Security Patch Level; compare against Google's published Android security bulletins
3. If your device manufacturer no longer provides security updates for your device model (end of support), consider replacing the device — unsupported Android devices are permanently vulnerable to known kernel driver vulnerabilities
4. Prefer devices from manufacturers with strong update commitments: Google Pixel (5 years of updates), Samsung Galaxy (4 years), and flagship models from other major OEMs with documented update commitments
5. Limit sideloading of untrusted APK files — Mali GPU kernel driver exploits require code execution on the device; reducing the initial attack surface limits exploitation opportunities
6. For high-risk individuals: consider GrapheneOS (on supported Pixel devices) which maintains its own kernel with faster security patch integration