CVE-2023-26083 – expose sensitive kernel metadata (16-04-2023)

Preface: The kernel doesn’t have libc or system calls if you’re not running in user mode.

Background: Open Source Mali Midgard GPU Kernel Drivers – The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali-T6xx, Mali-T7xx and Mali-T8xx series GPUs.
Under normal circumstances once kernel driver and user-space libraries are installed, you can enable OpenCL support with:
echo “libmali[.]so” | sudo tee /etc/OpenCL/vendors/mali[.]icd
And check it is found with:
sudo clinfo

Vulnerability details: Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 – r32p0, Bifrost GPU Kernel Driver all versions from r0p0 – r42p0, Valhall GPU Kernel Driver all versions from r19p0 – r42p0, and Avalon GPU Kernel Driver all versions from r41p0 – r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.

Reminder: If vulnerability category as CWE-401 – Improper Release of Memory Before Removing Last Reference (‘Memory Leak’). Whether If it can be reuse. If it can, the risk rating will be higher.

Product: Arm Avalon GPU Kernel Driver

CVSS Score: 5.5

** KEV since 2023-04-07 **

Official announcement: NVD –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.