A security researcher has discovered a serious flaw in the Mali GPU kernel driver used on certain Google Pixel smartphones. The vulnerability allows attackers to gain complete control over affected devices.
For those unaware, the Mali GPU kernel driver is a piece of software that handles communication between the Android operating system and the device’s graphics processing unit (GPU). It is essential for rendering graphics and other visual elements on the device.
The expert uncovered two related vulnerabilities in the driver. The first allows for an integer overflow through a specific command, while the second leaks kernel memory addresses. Combined, an attacker could use these to modify code in the device’s memory and launch attacks.
The danger is that a malicious app could exploit the vulnerability to gain root privileges. That’s the highest level of access on an Android device, essentially granting the attacker full control. They could potentially install other malware, steal sensitive data, or even permanently damage the device.
According to the researcher, these versions of the Pixel 7 and 8 Pro running Android 14 are vulnerable:
- Pixel 8 Pro: google/husky/husky:14/UD1A.231105.004/11010374:user/release-keys
- Pixel 7 Pro: google/cheetah/cheetah:14/UP1A.231105.003/11010452:user/release-keys
- Pixel 7 Pro: google/cheetah/cheetah:14/UP1A.231005.007/10754064:user/release-keys
Google has reportedly fixed this vulnerability (CVE-2023-26083) in the December 2023 Android Security Update. If you are using an affected device, ensure you have installed the latest software updates. It is always important practice to update your devices as soon as security patches become available.
Here’s how to check and update your Android system:
- Open the “Settings” app on your Pixel phone.
- Scroll down and tap “System.”
- Select “System Update.”
- You’ll see your update status and be able to follow any on-screen prompts.
Having said that, there are a couple of things you can do to keep your device secure and safe from apps that can exploit vulnerabilities. First, be wary of installing apps from unknown sources. Stick to the official Google Play Store. Second, pay attention to what permissions apps request before installation and only grant those that are absolutely necessary.
Note: The researcher has shared technical details and a proof-of-concept exploit that you can check out here.