CVE-2022-38181

What is the Arm Mali GPU Kernel Driver?

Arm Mali is a family of GPU architectures (Midgard, Bifrost, Valhall) widely used in Android smartphones from Samsung, Google Pixel, Xiaomi, OPPO, and others. The Mali kernel driver runs with kernel-level privileges and manages GPU memory, command scheduling, and hardware interaction. Because it is a kernel module, vulnerabilities in the driver can give attackers a direct path from a low-privilege app to full root and kernel code execution on affected devices.

Overview

CVE-2022-38181 is a use-after-free vulnerability in the Arm Mali GPU kernel driver. A non-privileged local user can exploit freed GPU memory to gain root privileges and/or disclose sensitive information. The vulnerability was highlighted by Google Project Zero as part of broader research into Mali driver security, and Arm added it to KEV in March 2023 following evidence of active exploitation by commercial surveillance vendors.

Affected Versions

OEM device patches depend on each manufacturer's kernel update schedule — many Android devices remain unpatched long after Arm releases driver fixes.

Technical Details

The flaw is a use-after-free (CWE-416) in GPU memory management. When the driver frees a GPU memory region, a race condition or logical error allows kernel code to later dereference the freed pointer. An attacker can shape the heap to control what occupies the freed memory region and redirect execution.

• Attack vector: Requires local code execution (e.g., a malicious Android app)
• Privileges required: None beyond a normal unprivileged app context
• Impact: Root privilege escalation, potential kernel code execution, and memory disclosure
• Chaining: Frequently used as the second stage in a two-exploit chain — a browser or app exploit achieves initial code execution, then the Mali driver exploit escalates to root for persistence and full device control

Google Project Zero noted that Arm's patch-to-deployment gap on Android OEM devices is a systemic problem: drivers are patched upstream by Arm but device kernels often go unupdated for months or years.

Discovery

Reported by researchers at Google Project Zero, who published detailed analysis in November 2022 covering multiple Mali GPU driver vulnerabilities. Project Zero's research documented that these flaws were being exploited before patches reached end-user devices.

Exploitation Context

Google TAG and Project Zero observed exploitation of Mali GPU driver vulnerabilities by commercial surveillance vendors targeting Android users. CVE-2022-38181 was confirmed exploited in the wild; CISA added it to KEV in March 2023 alongside several other Mali driver CVEs. The exploitation pattern follows a spyware deployment model: attacker delivers a malicious app or drives a victim to a malicious web page, achieves initial execution via a browser bug, then uses the Mali UAF to escalate to root and install a persistent implant.

Remediation

1. Install the latest Android security patch for your device — check Settings → Security → Security update
2. Prioritize patching Samsung Galaxy, Google Pixel, and other Mali GPU–equipped devices
3. For enterprise environments, enforce minimum Android patch level via MDM policy
4. Consider restricting sideloaded apps, which are the primary delivery vector for the initial-stage exploit
5. Check Arm's Mali GPU Driver Vulnerabilities page for driver-level patch availability per architecture generation