CVE-2021-28664 Overview
CVE-2021-28664 is a critical memory corruption vulnerability in the Arm Mali GPU kernel driver that enables unprivileged users to achieve read/write access to memory pages that should be read-only. This flaw allows attackers to escalate privileges or cause denial of service through memory corruption on affected devices.
Critical Impact
This vulnerability has been confirmed as actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Unprivileged users can corrupt kernel memory, potentially achieving full device compromise on Android devices and other systems using Mali GPUs.
Affected Products
- Arm Bifrost GPU Kernel Driver r0p0 through r29p0 (fixed in r30p0)
- Arm Midgard GPU Kernel Driver r8p0 through r30p0 (fixed in r31p0)
- Arm Valhall GPU Kernel Driver r19p0 through r29p0 (fixed in r30p0)
Discovery Timeline
- 2021-05-10 - CVE-2021-28664 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-28664
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-Bounds Write), stemming from improper memory access control within the Mali GPU kernel driver. The flaw allows an unprivileged user to gain read/write access to memory pages that the kernel has designated as read-only.
The vulnerability is particularly dangerous because it operates at the kernel driver level, where memory protection mechanisms are critical for maintaining system security boundaries. When exploited, an attacker running unprivileged code can modify protected kernel memory regions, bypassing fundamental security guarantees of the operating system.
The network-based attack vector combined with low attack complexity makes this vulnerability accessible to remote attackers under certain conditions. The inclusion in CISA's Known Exploited Vulnerabilities catalog confirms active real-world exploitation.
Root Cause
The root cause lies in improper memory page permission handling within the Mali GPU kernel driver. The driver fails to properly enforce read-only restrictions on certain memory pages when user-space applications interact with the GPU subsystem. This allows an attacker to manipulate the memory access permissions, converting read-only pages to read/write accessible pages from an unprivileged context.
Attack Vector
An attacker can exploit this vulnerability by crafting specific GPU operations or IOCTL calls to the Mali kernel driver that manipulate memory page permissions. The exploitation flow typically involves:
- An unprivileged application opens a handle to the Mali GPU device
- The attacker issues carefully crafted requests that trigger the permission handling flaw
- The kernel driver incorrectly grants write access to read-only memory pages
- The attacker modifies protected memory, enabling privilege escalation or causing system corruption
The vulnerability can be leveraged to achieve kernel code execution by overwriting critical kernel data structures or function pointers, ultimately granting root-level access to the compromised device.
Detection Methods for CVE-2021-28664
Indicators of Compromise
- Unexpected crashes or kernel panics related to Mali GPU driver operations
- Suspicious IOCTL calls to /dev/mali or similar GPU device nodes from unprivileged processes
- Memory corruption errors or inconsistencies in kernel logs related to GPU memory management
- Anomalous privilege escalation events on devices with Mali GPUs
Detection Strategies
- Monitor system calls and IOCTL operations targeting Mali GPU device nodes for unusual patterns
- Implement kernel-level integrity monitoring to detect unauthorized memory modifications
- Deploy endpoint detection rules that identify known exploitation techniques targeting this vulnerability
- Review device GPU driver versions against affected version ranges (Bifrost r0p0-r29p0, Midgard r8p0-r30p0, Valhall r19p0-r29p0)
Monitoring Recommendations
- Enable enhanced logging for GPU driver interactions on systems with Mali hardware
- Configure security monitoring solutions to alert on suspicious process behavior involving GPU device access
- Regularly audit installed GPU driver versions across your device fleet
- Implement application allowlisting to restrict which processes can interact with GPU device nodes
How to Mitigate CVE-2021-28664
Immediate Actions Required
- Update Arm Mali GPU kernel drivers to patched versions: Bifrost r30p0+, Midgard r31p0+, or Valhall r30p0+
- Apply vendor-provided Android security updates that include Mali driver fixes
- Restrict access to GPU device nodes to only trusted applications where possible
- Prioritize patching for internet-facing or high-risk devices
Patch Information
Arm has released patched driver versions that address this vulnerability. The fixed versions are:
- Bifrost: r30p0 and later
- Midgard: r31p0 and later
- Valhall: r30p0 and later
Organizations should obtain updated drivers through their device manufacturers or directly from Arm's security updates. Refer to the ARM Mali GPU Driver Vulnerabilities page and ARM Security Updates for official patch information.
Workarounds
- Limit device access and reduce the attack surface by disabling unnecessary GPU features if operationally feasible
- Implement application sandboxing to restrict which processes can access GPU device interfaces
- Deploy mobile device management (MDM) policies to enforce security controls on affected devices
- Consider network segmentation for devices that cannot be immediately patched to limit exploitation impact
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
