CVE-2021-28663 Arm CVE debrief

Who should care

Organizations that deploy devices, firmware, or software stacks using Arm Mali GPUs should care, especially OEMs, mobile device administrators, embedded system operators, and teams responsible for patching GPU drivers or platform firmware.

Technical summary

The supplied sources identify the issue as a use-after-free in Arm Mali Graphics Processing Unit (GPU) components. The CVE record and CISA KEV entry do not provide additional technical specifics in the supplied corpus. Because it is listed in KEV, defenders should treat it as a vulnerability with demonstrated exploitation risk and prioritize vendor-provided updates.

Defensive priority

High. CISA added this CVE to the Known Exploited Vulnerabilities catalog and set a remediation due date of 2021-11-17, so affected environments should prioritize remediation as soon as practical.

Recommended defensive actions

• Apply updates per the vendor's instructions.
• Identify assets and products that use Arm Mali GPU components.
• Prioritize patching or mitigation for any exposed or internet-reachable systems using affected GPU stacks.
• Verify remediation across OEM firmware, driver packages, and managed device fleets.
• Track the CISA KEV due date and confirm closure of the finding in vulnerability management records.

Evidence notes

This debrief is based on the supplied CVE record and CISA KEV source item. The CVE is identified as a use-after-free in Arm Mali Graphics Processing Unit (GPU). The CISA KEV metadata states 'Apply updates per vendor instructions' and lists dateAdded as 2021-11-03 with dueDate 2021-11-17. No CVSS score was provided in the supplied data, so severity is reflected as operational priority rather than a numeric score.

Official resources