Skip to main content

Graphics Ddk CVE-2026-21732

| EUVDEUVD-2026-13834 CRITICAL
Use of Out-of-range Pointer Offset (CWE-823)
2026-03-20 imaginationtech GHSA-2mc2-45rp-r4w4
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 21, 2026 - 17:07 vuln.today
cvss_changed
EUVD ID Assigned
Mar 20, 2026 - 23:16 euvd
EUVD-2026-13834
Analysis Generated
Mar 20, 2026 - 23:16 vuln.today
CVE Published
Mar 20, 2026 - 22:48 nvd
CRITICAL 9.6

DescriptionCVE.org

A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device.

An edge case using a very large value in switch statements in GPU shader code can cause a segmentation fault in the GPU shader compiler due to an out-of-bounds write access.

AnalysisAI

GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with elevated privileges, affecting multiple platforms through crafted switch statements that trigger out-of-bounds writes. An attacker can exploit this vulnerability by delivering specially-crafted GPU shader code through a web page, potentially gaining system-level control on vulnerable devices. No patch is currently available for this critical vulnerability.

Technical ContextAI

The vulnerability resides in Imagination Technologies' Graphics DDK (Driver Development Kit), specifically in the GPU shader compiler library that processes GLSL or similar shader code. The root cause is classified as CWE-823 (Use of Out-of-Bounds Pointer), manifesting as an out-of-bounds write during the compilation of shader code containing edge-case switch statement constructs with very large numeric values. When a web page embeds or references GPU shader code (via WebGL, WebGPU, or similar APIs), the shader is submitted to the GPU compiler process for compilation. The compiler fails to properly validate or bound-check large values in switch statements, leading to a write beyond allocated buffer boundaries. The affected CPE is cpe:2.3:a:imagination_technologies:graphics_ddk:*:*:*:*:*:*:*:*, indicating all versions of the Graphics DDK are potentially affected until patched.

RemediationAI

Apply patches provided by Imagination Technologies for the Graphics DDK as detailed in their security advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/. For device manufacturers and OEMs using this DDK, integrate the patched compiler library into updated GPU driver builds and firmware. Until patches are available or deployed, mitigate exposure by restricting WebGL and WebGPU functionality on untrusted content through browser sandbox policies, disabling GPU acceleration for untrusted web pages, or enforcing Content Security Policy to limit shader code sources. Administrators should prioritize patching for devices where GPU compiler processes run with elevated privileges.

CVE-2026-41157 CRITICAL
9.8 Jun 12

Out-of-bounds write in the Imagination Technologies Graphics DDK (GPU user-space driver) can be triggered when a victim

CVE-2026-34195 HIGH
8.8 Jun 12

Out-of-bounds kernel write in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows a local non-privileged p

CVE-2026-41154 HIGH
7.8 Jul 10

Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows

CVE-2026-7639 HIGH
7.8 Jul 10

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unpr

CVE-2026-34196 HIGH
7.8 Jul 10

Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user tri

CVE-2026-45196 HIGH
7.8 Jul 10

Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM

CVE-2026-45203 HIGH
7.8 Jul 10

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets

CVE-2026-45195 HIGH
7.8 Jun 26

Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Ho

CVE-2026-41158 HIGH
7.8 Jun 12

Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to i

CVE-2026-22163 HIGH
7.8 Mar 20

Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory prote

CVE-2026-21734 HIGH
7.7 Jun 26

Out-of-bounds write in Imagination Technologies' Graphics DDK GPU shader compiler lets a crafted web page containing unu

CVE-2026-41156 HIGH
7.7 Jun 19

Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-

Share

CVE-2026-21732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy