CVE-2024-4610

What is the Arm Mali GPU Kernel Driver?

The Arm Mali GPU is a family of graphics processors used in a wide range of mobile devices and embedded systems — including Android smartphones, tablets, smart TVs, and automotive systems from Samsung, MediaTek, and other SoC vendors. The Mali GPU kernel driver runs with kernel privileges and manages GPU memory, context switching, and command queue processing between user-mode GPU applications and the hardware. Because GPU drivers bridge user-mode applications and the kernel, they are a large, complex, and frequently targeted attack surface for local privilege escalation on Android.

Overview

CVE-2024-4610 is a use-after-free vulnerability in the Arm Bifrost and Valhall Mali GPU kernel drivers that allows a local, non-privileged user to make improper GPU memory processing operations to access already-freed memory, leading to privilege escalation. Arm confirmed "limited targeted exploitation in the wild" at the time of disclosure on June 7, 2024; CISA added it to the KEV catalog five days later, reflecting the urgency of the active exploitation context.

Affected Versions

Android OEM devices (Samsung Exynos, MediaTek Dimensity, etc.) receive the patched driver through vendor-specific kernel updates delivered via Android security bulletins.

Technical Details

CWE-416 (Use-After-Free). The Mali GPU kernel driver manages GPU memory objects that represent contexts, job slots, and memory mappings shared between user-mode GPU applications and the kernel driver. A flaw in the driver's object lifecycle management causes a reference to a freed GPU memory object to remain accessible to a user-mode GPU client. By triggering the right sequence of GPU operations — allocating, freeing, and then accessing a GPU object — a local attacker can cause the freed memory to be reused (potentially with attacker-controlled content via GPU memory allocation) and then dereference the stale pointer, achieving a controlled kernel write.

The resulting kernel write primitive is usable for privilege escalation: overwriting kernel security tokens, process privilege structures, or function pointers to gain SYSTEM/root-equivalent access on the device. The Low Attack Complexity (AC:L) rating indicates this is reliably exploitable without race conditions.

Discovery

Arm identified the exploitation in the wild and disclosed the vulnerability simultaneously with the patch. The five-day turnaround from CVE publication to CISA KEV addition suggests the exploitation intelligence came from a trusted partner (likely Google TAG or a mobile security firm that observed the exploit in a spyware chain) and was shared with CISA before public disclosure.

Exploitation Context

Arm Mali GPU driver vulnerabilities are a recurring target for mobile surveillance tool vendors. Previous Mali UAF bugs (CVE-2021-28664, CVE-2022-22706, CVE-2023-4211) were also exploited in limited targeted attacks, demonstrating sustained attacker interest in this attack surface. The pattern is consistent with commercial spyware chains: a malicious app or browser exploit provides initial unprivileged code execution → Mali UAF provides kernel LPE → the attacker gains root access and can install persistent surveillance software outside the Android security model.

The Bifrost and Valhall architectures are found in Samsung Exynos SoCs and high-end MediaTek chips powering hundreds of millions of Android devices worldwide, giving this driver a very broad attack surface even for "limited, targeted" exploitation.

Remediation

1. Apply Android security updates from your device OEM that include the patched Arm Mali GPU kernel driver (r41p0 or later). Check Settings → Security → Security update for the current patch level.
2. For Samsung Galaxy devices with Exynos SoCs: apply Samsung's monthly security updates promptly, as they include patched Mali GPU drivers.
3. For MediaTek-based devices: check the device OEM's security bulletin for patch availability.
4. Devices running Android versions that no longer receive security updates will not receive this patch — consider replacing end-of-life devices used in security-sensitive roles.
5. Restrict side-loading of apps from unknown sources to reduce the risk of malicious apps attempting to exploit this vulnerability.