CVE-2022-38181

HIGH KEV

Arm Mali GPU kernel driver - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-38181 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 30, 2023. EIP tracks 3 public exploits from researchers including Pro-me3us, R0rt1z2.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-38181, targeting the ARM Mali GPU kernel driver on Amazon FireTV 2nd gen Cube. The exploit leverages a use-after-free vulnerability to achieve arbitrary kernel code execution, disabling SELinux and gaining root access.

Description

The Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. This affects Bifrost r0p0 through r38p1, and r39p0; Valhall r19p0 through r38p1, and r39p0; and Midgard r4p0 through r32p0.

Exploits (3)

nomisec WORKING POC 7 stars
by Pro-me3us · local
https://github.com/Pro-me3us/CVE_2022_38181_Raven

This repository contains a functional exploit for CVE-2022-38181, targeting the ARM Mali GPU kernel driver on Amazon FireTV 2nd gen Cube. The exploit leverages a use-after-free vulnerability to achieve arbitrary kernel code execution, disabling SELinux and gaining root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: ARM Mali GPU kernel driver (r16p0) on Amazon FireOS (32-bit userspace)
No auth needed
Prerequisites: Amazon FireTV 2nd gen Cube with vulnerable Mali driver · Local access to the device
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 3 stars
by R0rt1z2 · local
https://github.com/R0rt1z2/CVE-2022-38181

This repository contains a functional exploit for CVE-2022-38181, targeting a vulnerability in the Mali GPU driver on Android devices. The exploit leverages memory corruption to achieve local privilege escalation (LPE) by manipulating GPU memory allocations and executing shellcode to bypass SELinux restrictions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Mali GPU driver (Android)
No auth needed
Prerequisites: Android device with vulnerable Mali GPU driver · Access to the device to run the exploit
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 3 stars
by Pro-me3us · local
https://github.com/Pro-me3us/CVE_2022_38181_Gazelle

This repository contains a functional exploit for CVE-2022-38181, targeting the ARM Mali kernel driver on Amazon FireTV 3rd gen Cube. The exploit leverages a use-after-free vulnerability to achieve arbitrary kernel code execution, disable SELinux, and gain root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: ARM Mali GPU Kernel Driver (Amazon FireTV Cube, FireOS 32-bit)
No auth needed
Prerequisites: Physical or local access to the target device · Compilation with Android NDK (ndk-21) · Execution within 30-90 seconds of device boot for reliability
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 8.8
EPSS 0.1259
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2023-03-30
VulnCheck KEV 2023-03-29
InTheWild.io 2023-03-29
ENISA EUVD EUVD-2022-40775
CWE
CWE-416
Status published
Products (5)
arm/bifrost_gpu_kernel_driver r39p0
arm/bifrost_gpu_kernel_driver r0p0 - r38p1
arm/midgard_gpu_kernel_driver r4p0 - r31p0
arm/valhall_gpu_kernel_driver r39p0
arm/valhall_gpu_kernel_driver r19p0 - r38p1
Published Oct 25, 2022
KEV Added Mar 30, 2023
Tracked Since Feb 18, 2026