A zero-day vulnerability in Samsung’s mobile processors has been leveraged as part of an exploit chain for arbitrary code execution, Google’s Threat Analysis Group (TAG) warns.

Tracked as CVE-2024-44068 (CVSS score of 8.1) and patched as part of Samsung’s October 2024 set of security fixes, the issue is described as a use-after-free bug that could be abused to escalate privileges on a vulnerable Android device.

“An issue was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920. A use-after-free in the mobile processor leads to privilege escalation,” a NIST advisory reads.

Samsung’s scarce advisory on CVE-2024-44068 makes no mention of the vulnerability’s exploitation, but Google researcher Xingyu Jin, who was credited for reporting the flaw in July, and Google TAG researcher Clement Lecigene, warn that an exploit exists in the wild.

According to them, the issue resides in a driver that provides hardware acceleration for media functions, and which maps userspace pages to I/O pages, executes a firmware command, and tears down mapped I/O pages.

Because of the bug, the page reference count is not incremented for PFNMAP pages and is only decremented for non-PFNMAP pages when tearing down I/O virtual memory.

This allows an attacker to allocate PFNMAP pages, map them to I/O virtual memory and free the pages, allowing them to map I/O virtual pages to freed physical pages, the researchers explain.

“This zero-day exploit is part of an EoP chain. The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to ‘[email protected]’, probably for anti-forensic purposes,” Jin and Lecigene note.

The exploit unmaps the pages, triggers the use-after-free bug, and then uses a firmware command to copy data to the I/O virtual pages, leading to a Kernel Space Mirroring Attack (KSMA) and breaking the Android kernel isolation protections.

While the researchers have not provided details on the observed attacks, Google TAG often discloses zero-days exploited by spyware vendors, including against Samsung devices.

Related: Microsoft: macOS Vulnerability Potentially Exploited in Adware Attacks

Related: Smart TV Surveillance? How Samsung and LG’s ACR Technology Tracks What You Watch

Related: New ‘Unc0ver’ Jailbreak Uses Vulnerability That Apple Said Was Exploited

Related: Proportion of Exploited Vulnerabilities Continues to Drop