Rooting is a technique that lets users or attackers achieve privileged control over the operating system, circumventing manufacturer and carrier constraints.
Senior mobile security researchers Pan Zhenpeng and Jheng Bing Jhong from STAR Labs have disclosed groundbreaking research demonstrating two distinct methods to root nearly all Qualcomm-based Android phones.
Their technique, dubbed “GPUAF” (GPU Use-After-Free), chains multiple vulnerabilities in Qualcomm’s GPU drivers to achieve complete system control across devices from Samsung, Xiaomi, Honor, and Vivo.
.png
)
Critical Vulnerabilities in Qualcomm GPU Drivers
The researchers detailed three critical flaws: CVE-2024-23380, a race condition in the Kgsl VBO map buffer; CVE-2024-23373, a page Use-After-Free vulnerability triggered when unmap operations fail; and a third bug involving premature page table entry destruction.
“By chaining these vulnerabilities, we create inconsistencies between the GPU driver’s internal structures and the IOMMU mappings,” explained the researchers in their technical report.
The exploit deliberately races two bind operations to cause the GPU driver to incorrectly track memory mappings, eventually leading to a situation where freed memory pages remain accessible through the GPU.
Two Paths to Root Access
The researchers demonstrated two distinct exploitation paths:
Page Table Manipulation
This approach reclaims freed pages as ARM64 page tables. By manipulating these tables, attackers can modify protection bits (AP[2:1]) to make read-only memory writable:
After gaining control of page tables, attackers can disable SELinux by overwriting the selinux_state structure and gaining root privileges.
Pipe Buffer Exploitation
The second technique reclaims freed pages as pipe_buffer structures:
By manipulating this structure, attackers achieve arbitrary read/write capabilities through copy_page_to_iter and copy_page_from_iter functions when the PIPE_BUF_FLAG_CAN_MERGE flag is set.
Wide-Ranging Impact
The attack affects numerous devices including Samsung Galaxy S series (non-Exynos chips), Honor phones (x9b, 90…), Xiaomi phones (14, 14 Pro, Redmi Note 13 Pro…), and Vivo phones (iQOO Z9s Pro, T3 Pro…).
The researchers also demonstrated bypasses for advanced security features like Samsung’s Enhanced SELinux and KNOX hypervisor protections that operate at EL2 (Exception Level 2).
“What makes this attack particularly concerning is its broad applicability across vendors and its ability to bypass hardware-backed security measures,” noted the researchers.
Qualcomm has issued patches for the vulnerabilities, but security experts recommend users update their devices immediately as attackers could potentially exploit these flaws to gain complete control of affected devices, access sensitive data, and install persistent malware.
GPUAF represents a significant advancement in Android exploitation, demonstrating how GPU driver vulnerabilities can be chained to achieve full device compromise-and underscoring the need for robust, multi-layered mobile security defenses.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
