CVE-2024-2937
📋 TL;DR
A Use After Free vulnerability in Arm Mali GPU kernel drivers allows a local non-privileged user to perform improper GPU memory operations, potentially accessing freed memory. This affects Bifrost, Valhall, and Arm 5th Gen GPU Architecture Kernel Drivers from versions r41p0 through r49p0. Exploitation could lead to privilege escalation or system compromise.
💻 Affected Systems
- Arm Ltd Bifrost GPU Kernel Driver
- Arm Ltd Valhall GPU Kernel Driver
- Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to kernel-level access, enabling full system compromise, data theft, or installation of persistent malware.
Likely Case
Local privilege escalation allowing an attacker to gain elevated privileges on the affected device, potentially leading to further exploitation.
If Mitigated
Limited impact if proper access controls restrict local user privileges or if the system is isolated from critical networks.
🎯 Exploit Status
Exploitation likely involves crafting specific GPU operations; no public exploits are known at this time, but the vulnerability is serious and should be patched promptly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after r49p0 for each affected driver series; check Arm Security Center for specific updates.
Vendor Advisory: https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Restart Required: Yes
Instructions:
1. Visit the Arm Security Center advisory. 2. Identify the correct driver update for your GPU model and version. 3. Apply the patch provided by Arm or your device manufacturer. 4. Reboot the system to load the updated driver.
🔧 Temporary Workarounds
Restrict Local User Access
allLimit the number of local non-privileged users on affected systems to reduce attack surface.
Disable Unnecessary GPU Features
linuxIf possible, disable or restrict GPU driver functionalities that are not essential, though this may impact performance.
🧯 If You Can't Patch
- Isolate affected systems from critical networks and sensitive data to limit potential damage from exploitation.
- Implement strict access controls and monitoring for local user activities to detect and respond to suspicious behavior.
🔍 How to Verify
Check if Vulnerable:
Check the GPU driver version on your system; if it falls within r41p0 to r49p0 for Bifrost, Valhall, or Arm 5th Gen drivers, it is vulnerable.Check Version:
On Linux, use 'cat /sys/class/misc/mali0/device/driver/version' or similar, depending on the system configuration; consult device documentation for specific commands.Verify Fix Applied:
After patching, verify the driver version is updated to a version after r49p0 for the respective driver series.📡 Detection & Monitoring
Log Indicators:
- Unusual GPU driver errors or crashes in system logs (e.g., dmesg or /var/log/syslog)
- Failed privilege escalation attempts or abnormal process behavior related to GPU operations.
Network Indicators:
- None, as this is a local vulnerability with no network exploitation vector.
SIEM Query:
Search for events like 'GPU driver fault' or 'kernel panic' in system logs, combined with user activity from non-privileged accounts.