CVE-2019-20600

Vulnerability

A use-after-free vulnerability exists in the MALI GPU driver on Samsung mobile devices with Exynos8890 chipsets running O(8.0) and P(9.0). The issue was identified by Samsung and assigned SVE-2019-13921-1 (May 2019). Affected software versions are those with O(8.0) and P(9.0) on Exynos8890 chipsets [1].

Exploitation

To exploit this vulnerability, an attacker would need local access to the device and the ability to execute code in the context of the GPU driver. The use-after-free condition can be triggered by a specific sequence of GPU operations that cause the driver to reference memory after it has been freed. No authentication beyond local device access is required.

Impact

Successful exploitation of the use-after-free could lead to memory corruption and potentially allow an attacker to execute arbitrary code with kernel privileges, resulting in full compromise of the device's confidentiality, integrity, and availability.

Mitigation

Samsung released a security update in May 2019 as part of their monthly maintenance release. The patch addresses the use-after-free in the MALI GPU driver for affected Exynos8890 devices running O(8.0) and P(9.0). Users should apply the latest security update from Samsung [1].