"Google Warns: Android 'Patch Gap' Is Leaving These Smartphones Vulnerable to Attack"

Many Android smartphones have been found to be vulnerable to a number of high-severity security flaws that have yet to be addressed, despite Arm releasing fixes. The unpatched flaws identified by Google Project Zero (GPZ) affect Android phones equipped with Arm Mali GPUs. According to GPZ researcher Ian Beer, even Google's Pixel phones, as well as phones from Samsung, Xiaomi, Oppo, and others, are vulnerable. Beer is urging all major Android smartphone vendors to do what customers are constantly told to do, which is patch their devices as soon as possible. Despite Arm releasing fixes for them months ago, smartphone users cannot apply a patch for an Arm Mali GPU driver because no Android smartphone vendor has applied the fixes to their Android builds. According to Beer's blog, Jann Horn, a fellow GPZ researcher, discovered five exploitable vulnerabilities in the Mali GPU driver, tracked as issues 2325, 2327, 2331, 2333, and 2334. Arm patched them in July and August, assigning the vulnerability identifier CVE-2022-36449 to them, disclosing them on the Arm Mali Driver Vulnerabilities page, and publishing the patched driver source on their public developer website. Another Mali GPU bug that Arm fixed is CVE-2022-33917. In order to comply with the Android Original Equipment Manufacturer (OEM) Security Patch Level (SPL) policy, the Android team is in discussions with Android smartphone manufacturers and will require them to patch the vulnerabilities. However, the Pixel team will not have patches for a few weeks. Other Android OEMs will eventually follow suit. This article continues to discuss the Android patch gap leaving smartphones vulnerable to attacks. 

ZDNet reports "Google Warns: Android 'Patch Gap' Is Leaving These Smartphones Vulnerable to Attack"