CVE-2022-34830

Vulnerability

A time-of-check time-of-use (TOCTOU) race condition exists in certain Arm Mali GPU processor families and their drivers. The flaw, present in products through 2022-06-29, allows a non-privileged user to perform improper GPU processing operations that result in accessing already freed memory. Affected products include Arm Mali GPU drivers and firmware for a range of Mali GPU processors.

Exploitation

An attacker must be a local non-privileged user on a system with an affected Arm Mali GPU driver. The exploitation requires winning a small race window by crafting specific GPU processing operations that interleave with memory management operations, causing the driver to use freed memory.

Impact

Successful exploitation leads to accessing already freed memory, which could result in information disclosure or potentially privilege escalation depending on how the freed memory is reused. The vulnerability is classified as a TOCTOU race condition with memory corruption implications.

Mitigation

Arm has released security updates addressing this vulnerability; users should apply the latest Mali GPU driver updates from Arm or their device vendor. The vulnerability was disclosed as part of Arm's June 2022 security updates [1][2]. No known workarounds are provided; applying the patch is the recommended mitigation.