CVE-2023-26083
Published: 06 April 2023
Summary
CVE-2023-26083 is a low-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Arm 5Th Gen Gpu Architecture Kernel Driver. Its CVSS base score is 3.3 (Low).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 PE-19 (Information Leakage) and SC-4 (Information in Shared System Resources).
Deeper analysis
CVE-2023-26083 is a memory leak vulnerability (CWE-401) in the Mali GPU Kernel Driver. It affects Midgard GPU Kernel Driver versions r6p0 through r32p0, Bifrost versions r0p0 through r42p0, Valhall versions r19p0 through r42p0, and Avalon versions r41p0 through r42p0. The flaw permits a non-privileged user to perform valid GPU processing operations that leak sensitive kernel metadata, rated at CVSS 3.3 with local attack vector and low complexity.
A local attacker with a non-privileged account on an affected system can trigger the vulnerability through legitimate GPU operations, resulting in exposure of kernel metadata without requiring elevated privileges or user interaction.
Advisories from Arm and related vulnerability databases, referenced at developer.arm.com and cybersecurity-help.cz, provide further details on affected driver versions and recommended updates. The EPSS score remains low, with a current value of 0.0523 and a peak of 0.0733.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29957
Vulnerability details
Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 - r32p0, Bifrost GPU Kernel Driver all versions from r0p0 - r42p0, Valhall GPU Kernel Driver all versions from r19p0 - r42p0, and…
more
Avalon GPU Kernel Driver all versions from r41p0 - r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.
- CWE(s)
- KEV Date Added
- 07 April 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires safeguards against unauthorized transfer of information (kernel metadata) through shared system resources such as GPU memory.
Requires the system to prevent unintended information transfer via shared resources, directly mitigating the memory-leak exposure of kernel metadata.
Enforces process isolation boundaries that limit the ability of unprivileged GPU operations to reach and leak kernel memory structures.