CVE-2021-28663 - OpenCVE

The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Arm	Valhall Gpu Kernel Driver Bifrost Gpu Kernel Driver Midgard Gpu Kernel Driver

Configuration 1 [-]

OR	cpe:2.3:a:arm:bifrost_gpu_kernel_driver::::::::
	cpe:2.3:a:arm:midgard_gpu_kernel_driver::::::::
	cpe:2.3:a:arm:valhall_gpu_kernel_driver::::::::

References

Link	Resource
https://developer.arm.com/support/arm-security-updates	Vendor Advisory
https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver	Vendor Advisory
https://github.com/lntrx/CVE-2021-28663

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-10T00:00:00

Updated: 2023-02-23T00:00:00

Reserved: 2021-03-18T00:00:00

Link: CVE-2021-28663

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-10T15:15:07.557

Modified: 2023-12-13T13:51:52.563

Link: CVE-2021-28663

JSON object: View

Redhat Information

No data.

CWE

CWE-416

{"cisaActionDue": "2021-11-17", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Arm Mali Graphics Processing Unit (GPU) Use-After-Free Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arm:bifrost_gpu_kernel_driver:*:*:*:*:*:*:*:*", "matchCriteriaId": "86D3D5C7-EF1B-401B-836C-79FD7C16B5CA", "versionEndIncluding": "r28p0", "versionStartIncluding": "r0p0", "vulnerable": true}, {"criteria": "cpe:2.3:a:arm:midgard_gpu_kernel_driver:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57F0AF0-BB86-41BE-B41F-951FC34878D2", "versionEndIncluding": "r30p0", "versionStartIncluding": "r4p0", "vulnerable": true}, {"criteria": "cpe:2.3:a:arm:valhall_gpu_kernel_driver:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D901BF7-E72F-4BC7-96DD-FC9D87F3AE8A", "versionEndIncluding": "r28p0", "versionStartIncluding": "r19p0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0."}, {"lang": "es", "value": "El controlador del kernel de Arm Mali GPU, permite una escalada de privilegios o una divulgaci\u00f3n de informaci\u00f3n porque las operaciones de la memoria de la GPU son manejadas inapropiadamente, conllevando a un uso de la memoria previamente liberada. Esto afecta a Bifrost versiones r0p0 hasta r28p0, anteriores a r29p0, Valhall versiones r19p0 hasta r28p0 anteriores a r29p0 y Midgard versiones r4p0 hasta r30p0"}], "id": "CVE-2021-28663", "lastModified": "2023-12-13T13:51:52.563", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-10T15:15:07.557", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://developer.arm.com/support/arm-security-updates"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver"}, {"source": "cve@mitre.org", "url": "https://github.com/lntrx/CVE-2021-28663"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}