Skip to main content

Imagination Graphics DDK CVE-2026-34192

| EUVDEUVD-2026-38001 HIGH
Use After Free (CWE-416)
2026-06-19 imaginationtech GHSA-q7pr-p3c5-mgvj
7.7
CVSS 3.1 · Vendor: imaginationtech
Share

Severity by source

Vendor (imaginationtech) PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
7.1 HIGH

Local GPU syscall from an unprivileged but authenticated local user (PR:L), low complexity, no UI; kernel UAF yields high integrity/availability, no direct confidentiality impact stated.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (imaginationtech).

CVSS VectorVendor: imaginationtech

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 22, 2026 - 21:30 vuln.today
CVSS changed
Jun 22, 2026 - 19:24 NVD
7.7 (HIGH)
CVE Published
Jun 19, 2026 - 09:23 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an error path leading to UAF of GPU page tables.

The vulnerability allows physical memory allocated for MMU page tables to be used after being freed. This was caused by an error path that would not cleanup properly before freeing the physical allocation.

AnalysisAI

Local privilege escalation and denial of service in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows non-privileged users to trigger a use-after-free of GPU MMU page tables via crafted GPU system calls. An error path fails to clean up before freeing the physical page-table allocation, enabling memory corruption that can be leveraged for kernel-context impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local code execution as normal user
Delivery
Open PowerVR GPU device node
Exploit
Issue crafted GPU syscall sequence triggering error path
Install
UAF on freed MMU page-table page
C2
Reallocate and groom freed physical page
Execute
Corrupt kernel memory via GPU MMU
Impact
Escalate privileges or crash device

Vulnerability AssessmentAI

Exploitation Attacker must already be able to execute code as a non-privileged local user on a device running a vulnerable Imagination Graphics DDK build (1.18 RTM, 23.2 RTM, 24.2 RTM, or 25.1-25.3 RTM) with access to the PowerVR GPU device node, and must issue a specific sequence of GPU system calls that triggers the faulting error path in MMU page-table teardown. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H scores 7.7 and reflects a local, low-complexity attack with no privileges and high integrity/availability impact - characteristic of a kernel UAF reachable from any local process. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious unprivileged Android app or local user on a PowerVR-equipped device invokes a sequence of GPU ioctls/system calls that deliberately trips the driver's error path, freeing the MMU page-table backing while a stale reference remains. The attacker then races to reallocate the freed physical page, programs attacker-controlled content into it via the GPU MMU, and uses the resulting kernel-memory corruption to escalate to root or crash the device. …
Remediation Patch available per vendor advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/; no fixed Graphics DDK version was published in the available data, so administrators should consult Imagination Technologies directly and confirm with their SoC/device OEM which downstream driver release incorporates the fix (track also vuldb.com/vuln/372347 and EUVD-2026-38001). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct asset inventory to identify all systems running Imagination Technologies PowerVR GPU drivers; document affected device models and installed driver versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-41157 CRITICAL
9.8 Jun 12

Out-of-bounds write in the Imagination Technologies Graphics DDK (GPU user-space driver) can be triggered when a victim

CVE-2026-21732 CRITICAL
9.6 Mar 20

GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with

CVE-2026-34195 HIGH
8.8 Jun 12

Out-of-bounds kernel write in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows a local non-privileged p

CVE-2026-41154 HIGH
7.8 Jul 10

Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows

CVE-2026-7639 HIGH
7.8 Jul 10

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unpr

CVE-2026-34196 HIGH
7.8 Jul 10

Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user tri

CVE-2026-45196 HIGH
7.8 Jul 10

Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM

CVE-2026-45203 HIGH
7.8 Jul 10

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets

CVE-2026-45195 HIGH
7.8 Jun 26

Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Ho

CVE-2026-41158 HIGH
7.8 Jun 12

Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to i

CVE-2026-22163 HIGH
7.8 Mar 20

Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory prote

CVE-2026-21734 HIGH
7.7 Jun 26

Out-of-bounds write in Imagination Technologies' Graphics DDK GPU shader compiler lets a crafted web page containing unu

Share

CVE-2026-34192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy