CVE-2021-28664: Arm Bifrost GPU Privilege Escalation Flaw

CVE-2021-28664 Overview

CVE-2021-28664 is a critical memory corruption vulnerability in the Arm Mali GPU kernel driver that enables unprivileged users to achieve read/write access to memory pages that should be read-only. This flaw allows attackers to escalate privileges or cause denial of service through memory corruption on affected devices.

Critical Impact
This vulnerability has been confirmed as actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Unprivileged users can corrupt kernel memory, potentially achieving full device compromise on Android devices and other systems using Mali GPUs.

Affected Products

Arm Bifrost GPU Kernel Driver r0p0 through r29p0 (fixed in r30p0)
Arm Midgard GPU Kernel Driver r8p0 through r30p0 (fixed in r31p0)
Arm Valhall GPU Kernel Driver r19p0 through r29p0 (fixed in r30p0)

Discovery Timeline

2021-05-10 - CVE-2021-28664 published to NVD
2025-11-03 - Last updated in NVD database

Technical Details for CVE-2021-28664

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-Bounds Write), stemming from improper memory access control within the Mali GPU kernel driver. The flaw allows an unprivileged user to gain read/write access to memory pages that the kernel has designated as read-only.

The vulnerability is particularly dangerous because it operates at the kernel driver level, where memory protection mechanisms are critical for maintaining system security boundaries. When exploited, an attacker running unprivileged code can modify protected kernel memory regions, bypassing fundamental security guarantees of the operating system.

The network-based attack vector combined with low attack complexity makes this vulnerability accessible to remote attackers under certain conditions. The inclusion in CISA's Known Exploited Vulnerabilities catalog confirms active real-world exploitation.

Root Cause

The root cause lies in improper memory page permission handling within the Mali GPU kernel driver. The driver fails to properly enforce read-only restrictions on certain memory pages when user-space applications interact with the GPU subsystem. This allows an attacker to manipulate the memory access permissions, converting read-only pages to read/write accessible pages from an unprivileged context.

Attack Vector

An attacker can exploit this vulnerability by crafting specific GPU operations or IOCTL calls to the Mali kernel driver that manipulate memory page permissions. The exploitation flow typically involves:

An unprivileged application opens a handle to the Mali GPU device
The attacker issues carefully crafted requests that trigger the permission handling flaw
The kernel driver incorrectly grants write access to read-only memory pages
The attacker modifies protected memory, enabling privilege escalation or causing system corruption

The vulnerability can be leveraged to achieve kernel code execution by overwriting critical kernel data structures or function pointers, ultimately granting root-level access to the compromised device.

Detection Methods for CVE-2021-28664

Indicators of Compromise

Unexpected crashes or kernel panics related to Mali GPU driver operations
Suspicious IOCTL calls to /dev/mali or similar GPU device nodes from unprivileged processes
Memory corruption errors or inconsistencies in kernel logs related to GPU memory management
Anomalous privilege escalation events on devices with Mali GPUs

Detection Strategies

Monitor system calls and IOCTL operations targeting Mali GPU device nodes for unusual patterns
Implement kernel-level integrity monitoring to detect unauthorized memory modifications
Deploy endpoint detection rules that identify known exploitation techniques targeting this vulnerability
Review device GPU driver versions against affected version ranges (Bifrost r0p0-r29p0, Midgard r8p0-r30p0, Valhall r19p0-r29p0)

Monitoring Recommendations

Enable enhanced logging for GPU driver interactions on systems with Mali hardware
Configure security monitoring solutions to alert on suspicious process behavior involving GPU device access
Regularly audit installed GPU driver versions across your device fleet
Implement application allowlisting to restrict which processes can interact with GPU device nodes

How to Mitigate CVE-2021-28664

Immediate Actions Required

Update Arm Mali GPU kernel drivers to patched versions: Bifrost r30p0+, Midgard r31p0+, or Valhall r30p0+
Apply vendor-provided Android security updates that include Mali driver fixes
Restrict access to GPU device nodes to only trusted applications where possible
Prioritize patching for internet-facing or high-risk devices

Patch Information

Arm has released patched driver versions that address this vulnerability. The fixed versions are:

Bifrost: r30p0 and later
Midgard: r31p0 and later
Valhall: r30p0 and later

Organizations should obtain updated drivers through their device manufacturers or directly from Arm's security updates. Refer to the ARM Mali GPU Driver Vulnerabilities page and ARM Security Updates for official patch information.

Workarounds

Limit device access and reduce the attack surface by disabling unnecessary GPU features if operationally feasible
Implement application sandboxing to restrict which processes can access GPU device interfaces
Deploy mobile device management (MDM) policies to enforce security controls on affected devices
Consider network segmentation for devices that cannot be immediately patched to limit exploitation impact