CVE-2023-26083: Arm Mali GPU Driver Info Disclosure Flaw

CVE-2023-26083 Overview

CVE-2023-26083 is a memory leak vulnerability affecting multiple Arm Mali GPU Kernel Drivers. This flaw allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata. The vulnerability impacts a wide range of Mali GPU architectures including Midgard, Bifrost, Valhall, and Avalon (5th Gen) GPU kernel drivers across numerous version ranges.

Despite its low CVSS score, this vulnerability has been confirmed as actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The exposure of kernel metadata can provide attackers with critical information useful for bypassing security mitigations such as Kernel Address Space Layout Randomization (KASLR), potentially enabling more sophisticated follow-up attacks.

Critical Impact

This vulnerability is actively exploited in the wild and listed in CISA's KEV catalog. Sensitive kernel metadata exposure can facilitate privilege escalation and security mitigation bypasses on affected mobile and embedded devices.

Affected Products

• Arm Midgard GPU Kernel Driver (versions r6p0 - r32p0)
• Arm Bifrost GPU Kernel Driver (versions r0p0 - r42p0)
• Arm Valhall GPU Kernel Driver (versions r19p0 - r42p0)
• Arm 5th Gen (Avalon) GPU Architecture Kernel Driver (versions r41p0 - r42p0)

Discovery Timeline

• 2023-04-06 - CVE-2023-26083 published to NVD
• 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2023-26083

Vulnerability Analysis

This vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime), commonly known as a memory leak. In the context of the Mali GPU kernel driver, the flaw occurs during GPU processing operations where memory containing sensitive kernel metadata is not properly released or sanitized before being accessible to user-space processes.

The attack requires local access to the system, meaning an attacker would need to execute code on a device with an affected Mali GPU. While the exploitation does not require elevated privileges, successful exploitation results in confidentiality impact through the disclosure of kernel memory information.

The vulnerability is particularly concerning in mobile device contexts where Mali GPUs are prevalent. Android devices from numerous manufacturers utilize Arm Mali GPUs, making the attack surface substantial. The leaked kernel metadata can reveal memory addresses and other sensitive information that attackers can leverage to defeat Address Space Layout Randomization (ASLR) and other kernel security mechanisms.

Root Cause

The root cause of CVE-2023-26083 lies in improper memory management within the Mali GPU kernel driver. When processing GPU operations, the driver fails to properly clear or release memory structures that contain kernel metadata. This oversight allows the sensitive information to persist and become accessible to unprivileged user-space applications through normal GPU processing interfaces.

The issue spans multiple GPU architecture generations (Midgard, Bifrost, Valhall, and Avalon), suggesting the vulnerable code pattern exists in shared components or was replicated across driver implementations for different GPU architectures.

Attack Vector

Exploitation of CVE-2023-26083 follows a local attack vector where a malicious application running on an affected device can trigger the memory leak through legitimate GPU API calls. The attack flow involves:

1. A non-privileged application initiates GPU processing operations through standard driver interfaces
2. The vulnerable driver code processes these requests without properly sanitizing memory structures
3. Kernel metadata is inadvertently exposed through the memory leak
4. The attacker captures this leaked information for use in subsequent attacks

The exposed kernel metadata typically includes memory addresses and structural information that can be used to defeat KASLR, calculate base addresses of kernel modules, or identify the locations of critical kernel structures for use in privilege escalation exploits.

Detection Methods for CVE-2023-26083

Indicators of Compromise

• Unusual GPU driver memory allocation patterns or excessive memory consumption by user-space applications
• Applications making abnormal sequences of GPU ioctl calls attempting to extract kernel information
• Presence of suspicious applications attempting to read or log kernel memory addresses
• Evidence of KASLR bypass attempts following GPU driver interaction

Detection Strategies

• Monitor for applications making repeated GPU processing requests with patterns consistent with information gathering
• Implement kernel memory access auditing to detect attempts to read or reference exposed kernel addresses
• Deploy application behavior analysis to identify processes exhibiting memory probing characteristics
• Review installed applications for known malware variants that exploit Mali GPU vulnerabilities

Monitoring Recommendations

• Enable kernel audit logging for GPU driver interactions where supported
• Monitor system logs for Mali GPU driver errors or unusual operation patterns
• Implement endpoint detection and response (EDR) solutions capable of detecting kernel information disclosure attempts
• Track security advisories from device manufacturers for indicators specific to this vulnerability exploitation

How to Mitigate CVE-2023-26083

Immediate Actions Required

• Update affected devices to the latest firmware and kernel driver versions from the device manufacturer
• Review and apply security patches from Arm addressing Mali GPU kernel drivers
• Restrict installation of untrusted applications that could exploit this vulnerability
• Enable all available kernel hardening features on affected systems

Patch Information

Arm has acknowledged this vulnerability and provided security updates through their Mali GPU Driver Vulnerabilities security center. Organizations should obtain patched driver versions from their device manufacturers or system vendors, as Mali GPU driver updates are typically distributed through:

• Device OEM firmware updates (for mobile devices)
• Linux kernel updates (for embedded systems and development boards)
• Android security bulletins (for Android devices)

Due to the fragmented nature of Android device updates, users should verify with their specific device manufacturer regarding patch availability and deployment timelines.

Workarounds

• Limit application installation to trusted sources and verified applications only
• Implement Mobile Device Management (MDM) policies to control application installation on enterprise devices
• Consider network segmentation for devices that cannot be immediately patched
• Monitor affected devices more closely for signs of compromise until patches can be applied