CVE-2021-28663 – This vulnerability in the Arm Mali GPU kernel d... (How to Fix)

Q: What is the severity of CVE-2021-28663?

CVE-2021-28663 has a CVSS score of 8.8 (HIGH). This vulnerability in the Arm Mali GPU kernel driver allows attackers to escalate privileges or disclose sensitive information due to mishandled GPU memory operations leading to use-after-free conditions. It affects devices using Bifrost, Valhall, and Midgard GPU architectures. The vulnerability enables local attackers to gain elevated kernel privileges on affected systems.

📋 TL;DR

This vulnerability in the Arm Mali GPU kernel driver allows attackers to escalate privileges or disclose sensitive information due to mishandled GPU memory operations leading to use-after-free conditions. It affects devices using Bifrost, Valhall, and Midgard GPU architectures. The vulnerability enables local attackers to gain elevated kernel privileges on affected systems.

💻 Affected Systems

Products:

Arm Mali GPU kernel driver

Versions: Bifrost r0p0 through r28p0, Valhall r19p0 through r28p0, Midgard r4p0 through r30p0

Operating Systems: Android, Linux distributions with Mali GPU support

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using Arm Mali GPUs including many Android smartphones, tablets, and embedded systems. The vulnerability is in the kernel driver, not user-space components.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with kernel-level code execution, allowing complete control over the device, data exfiltration, and persistence mechanisms.

🟠

Likely Case

Privilege escalation from a limited user or app to root/kernel privileges, enabling access to sensitive data and system resources.

🟢

If Mitigated

Limited impact if proper kernel hardening, SELinux/apparmor policies, and privilege separation are implemented, though exploitation may still be possible.

🌐 Internet-Facing: LOW (requires local access for exploitation, not directly exploitable over network)

🏢 Internal Only: HIGH (local attackers or malicious apps can exploit this to gain kernel privileges)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and some kernel exploitation knowledge. Public proof-of-concept code exists on GitHub, making exploitation more accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Bifrost r29p0, Valhall r29p0, Midgard r31p0

Vendor Advisory: https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver

Restart Required: Yes

Instructions:

1. Check current Mali GPU driver version. 2. Obtain updated kernel driver from device manufacturer or Arm. 3. Apply kernel patch or update. 4. Rebuild kernel if using custom kernel. 5. Reboot system to load patched driver.

🔧 Temporary Workarounds

Restrict GPU access

linux

Limit which users/apps can access GPU devices via permissions

chmod 600 /dev/mali0
chown root:root /dev/mali0

Enable kernel hardening

linux

Enable kernel protections like KASLR, stack canaries, and SELinux/apparmor

echo 1 > /proc/sys/kernel/kptr_restrict
echo 2 > /proc/sys/kernel/perf_event_paranoid

🧯 If You Can't Patch

Implement strict application sandboxing and privilege separation
Monitor for suspicious GPU memory operations and kernel crashes

🔍 How to Verify

Check if Vulnerable:

Check kernel logs for Mali driver version: dmesg | grep -i mali

Check Version:

dmesg | grep -i 'mali.*version' or check /sys/class/misc/mali0/device/driver/version

Verify Fix Applied:

Verify driver version is patched: cat /sys/class/misc/mali0/device/driver/version

📡 Detection & Monitoring

Log Indicators:

Kernel panic or oops messages related to Mali driver
Unusual GPU memory allocation patterns
Multiple failed attempts to access /dev/mali device

Network Indicators:

None (local exploitation only)

SIEM Query:

source="kernel" AND ("mali" OR "gpu") AND ("panic" OR "oops" OR "segfault")

📊 Metadata

CVE ID: CVE-2021-28663

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 10, 2021

Last Updated: November 3, 2025

🔗 References

https://developer.arm.com/support/arm-security-updates Vendor Advisory
https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver Vendor Advisory
https://github.com/lntrx/CVE-2021-28663 Exploit
https://developer.arm.com/support/arm-security-updates Vendor Advisory
https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver Vendor Advisory
https://github.com/lntrx/CVE-2021-28663 Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28663 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28663, you might also want to check these: