Project Zero, Google’s team dedicated to investigating and finding security flaws, has published several Android security flaws in smartphones that use Mali graphics accelerators, which are present, for example, in Exynos SoC models. Project Zero usually gives a certain amount of time before publishing its findings, but in this case the situation seems more bizarre than usual.

Mali graphics accelerators are created by ARM Holdings itself, the creator and matrix of the processor architecture. ARM did its part in the months of July and August when it came to patching vulnerabilities, but smartphone manufacturers such as Samsung, Xiaomi, Oppo and even Google itself (yes, this complaint comes from the inside) did not do the same. , and apparently Project Zero gave them until earlier this week.

Researchers discovered five new security flaws in June and July that directly pointed to ARM being responsible for fixing them. And the truth is that such failures are quite serious because they lead to problems like kernel memory corruption, another where physical memory addresses have been exposed to user space, and the remaining three are of a type that can be used after freeing a physical page in memory.

Use-after-free faults allow an attacker to continue reading and writing physical pages after they have been returned to the system, and not only that, but by forcing the kernel to reuse those pages as page tables, an attacker can even gain full access to the systembypassing Android’s permission mechanisms and gaining broad access to user data.

Three months after ARM patched the security flaws, the Project Zero team discovered that all of their test devices were still vulnerable. As of Tuesday, the issues have not been mentioned in any subsequent security bulletins from Android smartphone makers, so they are believed to remain open to potentially catastrophic attacks.

At the moment it looks like it is Samsung, Google, Oppo and Xiaomi (and possibly many others) have not released a corresponding security update to fix the vulnerabilities affecting the driver used by the Android graphics accelerators for Mali. Unfortunately, we find ourselves with the usual scenario here, which is that Android smartphones in general tend to be poorly maintained by the responsible companies, with security patches being delivered late and support times being laughable.