CVE-2021-28663 Overview
CVE-2021-28663 is a critical use-after-free vulnerability affecting the Arm Mali GPU kernel driver that allows privilege escalation or information disclosure. The vulnerability exists because GPU memory operations are mishandled, creating a condition where freed memory can be accessed by an attacker. This flaw affects multiple generations of Mali GPU drivers including Bifrost, Valhall, and Midgard architectures, impacting a wide range of mobile devices, embedded systems, and IoT devices that utilize Arm Mali graphics processors.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Successful exploitation can lead to complete system compromise through privilege escalation or sensitive data exfiltration via information disclosure.
Affected Products
- Arm Bifrost GPU Kernel Driver r0p0 through r28p0 (before r29p0)
- Arm Valhall GPU Kernel Driver r19p0 through r28p0 (before r29p0)
- Arm Midgard GPU Kernel Driver r4p0 through r30p0
Discovery Timeline
- 2021-05-10 - CVE-2021-28663 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-28663
Vulnerability Analysis
This use-after-free vulnerability (CWE-416) resides in the Arm Mali GPU kernel driver's memory management subsystem. The flaw occurs when GPU memory operations are improperly handled, allowing an attacker to reference memory after it has been freed. In the context of kernel drivers, this type of vulnerability is particularly dangerous as it can be leveraged to corrupt kernel memory structures, potentially leading to arbitrary code execution with kernel-level privileges.
The vulnerability affects the memory allocation and deallocation routines within the Mali GPU driver, where a race condition or improper reference counting can lead to a scenario where a memory region is freed while still being referenced by other components. When this freed memory is subsequently reallocated and modified, the dangling reference can be exploited to achieve privilege escalation from an unprivileged user context to kernel context.
Root Cause
The root cause of CVE-2021-28663 stems from improper handling of GPU memory operations within the Mali kernel driver. Specifically, the vulnerability is triggered by a failure to properly track and validate memory references during GPU memory management operations. When memory regions used by the GPU are freed, the driver fails to properly invalidate all references to these regions, creating dangling pointers that can be subsequently exploited.
This type of memory safety issue is common in complex kernel drivers that must manage shared memory between user space, kernel space, and hardware accelerators. The Mali GPU driver's memory management must coordinate between multiple execution contexts, and the failure to properly synchronize these operations creates the use-after-free condition.
Attack Vector
The attack vector for this vulnerability is network-based according to its classification, though practical exploitation typically requires local code execution on the target device. An attacker with low-privilege access to a system running vulnerable Mali GPU drivers can craft malicious GPU memory operations to trigger the use-after-free condition. The exploitation process generally involves:
- Allocating GPU memory buffers through the Mali driver interface
- Manipulating the memory allocation patterns to create a predictable heap state
- Triggering the use-after-free by causing premature memory deallocation
- Spraying controlled data into the freed memory region
- Using the dangling reference to corrupt kernel data structures and achieve privilege escalation
A proof-of-concept repository demonstrating this vulnerability is available on GitHub. The exploitation requires understanding of the Mali GPU driver's memory management internals and kernel heap manipulation techniques.
Detection Methods for CVE-2021-28663
Indicators of Compromise
- Unusual GPU memory allocation patterns or excessive memory pressure on Mali GPU subsystems
- Kernel crash logs indicating memory corruption in Mali driver modules (mali_kbase, mali_bifrost, mali_midgard)
- Suspicious processes attempting to interact with Mali GPU device files (/dev/mali*) with elevated frequency
- Evidence of heap spraying techniques in kernel memory regions
- Unexpected privilege elevation from user-level processes to root/kernel level
Detection Strategies
- Monitor for kernel oops or panics originating from Mali GPU driver code paths
- Implement kernel memory integrity monitoring to detect corruption in driver-related structures
- Deploy endpoint detection solutions capable of monitoring GPU driver interactions and system call patterns
- Analyze device driver version information to identify systems running vulnerable Mali driver versions
Monitoring Recommendations
- Enable kernel auditing for device file access to /dev/mali* and related GPU interfaces
- Configure crash dump collection to preserve forensic evidence of potential exploitation attempts
- Implement behavioral analysis to detect anomalous GPU memory allocation patterns
- Monitor for privilege escalation events following GPU driver interactions
How to Mitigate CVE-2021-28663
Immediate Actions Required
- Update Arm Mali GPU kernel drivers to patched versions: Bifrost r29p0 or later, Valhall r29p0 or later, or contact vendor for Midgard updates
- Prioritize patching for any internet-facing or multi-user systems with Mali GPU hardware
- Review system access controls to minimize unprivileged access to GPU device interfaces
- Consider deploying additional kernel hardening measures such as KASLR, heap protection, and SELinux/AppArmor policies
Patch Information
Arm has released security updates addressing this vulnerability. The fixes are available in Bifrost r29p0 and later, and Valhall r29p0 and later. For detailed patch information and download links, consult the ARM Security Updates page and the Mali GPU Driver Security Update documentation.
For device manufacturers and OEMs, integration of the patched drivers into device firmware updates is essential. End users should check with their device manufacturer for firmware updates that include the Mali GPU driver fixes.
Workarounds
- Restrict access to Mali GPU device files using file system permissions and SELinux policies
- On multi-user systems, limit GPU access to trusted applications and users only
- Consider disabling GPU acceleration in high-security environments until patches can be applied
- Implement additional security boundaries around applications that interact with GPU drivers
# Restrict Mali GPU device access to specific user groups
chmod 660 /dev/mali*
chown root:gpu /dev/mali*
# Optional: Apply SELinux policy to restrict Mali driver access
# Consult your distribution's SELinux documentation for proper implementation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
