Skip to main content

Imagination Graphics DDK CVE-2026-34194

| EUVD-2026-35083 HIGH
Incorrect Pointer Scaling (CWE-468)
2026-06-08 imaginationtech GHSA-4fp7-72xg-c4hc
Information Disclosure Graphics Ddk
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 20:23 vuln.today
CVSS changed
Jun 08, 2026 - 20:22 NVD
7.1 (HIGH)
CVE Published
Jun 08, 2026 - 14:58 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of a mapping state maintained for a sparse memory allocation.

The product accidentally refers to the wrong memory due to the semantics of how math operations are implicitly scaled across buffers of different sizes.

AnalysisAI

Local privilege escalation and integrity compromise in Imagination Technologies Graphics DDK (GPU driver) allows non-privileged users to corrupt sparse memory mapping state via improper GPU system calls, leading to out-of-bounds memory access. The flaw stems from implicit scaling errors in pointer arithmetic across buffers of differing sizes (CWE-468), affecting DDK releases 24.2 RTM, 25.1-25.3 RTM, and 26.1 RTM. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain unprivileged code execution on device
Delivery
Open PowerVR GPU device node
Exploit
Issue crafted sparse allocation ioctls
Install
Trigger CWE-468 pointer mis-scaling
C2
Corrupt kernel mapping metadata
Execute
Overlap userland page onto kernel structure
Impact
Escalate to kernel privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must have local code execution as an unprivileged user on a device running an affected Imagination Graphics DDK build (24.2 RTM, 25.1-25.3 RTM, or 26.1 RTM) and must hold an open file descriptor to the PowerVR GPU device node - on Android this is granted to every app by default, on Linux this requires membership in the render/video group or world-accessible /dev/dri permissions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 7.1 (AV:L/AC:L/PR:L/UI:N/C:N/I:H/A:H) accurately reflects a high-impact local issue: any unprivileged app with GPU access can trigger it, integrity and availability are fully compromised but confidentiality is rated none - unusual given that sparse mapping corruption typically enables read primitives too, suggesting the vendor scoped the impact narrowly to kernel state corruption rather than data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious Android app installed from a sideloaded APK or a compromised Play Store entry opens the PowerVR GPU device node (no special permission required on most Android builds), submits a crafted sequence of sparse memory allocation and mapping system calls that triggers the incorrect pointer-scaling arithmetic, and corrupts adjacent kernel mapping metadata. The attacker then leverages this state desync to overlap a controlled userland page onto a kernel structure, escalating from the app sandbox to kernel context - a classic mobile sandbox escape pattern, though no public exploit is currently identified.
Remediation Patch available per vendor advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/ - exact fixed DDK version is not stated in the provided data, so administrators must consult the vendor page directly and confirm with their SoC vendor or Android OEM, since DDK fixes propagate through BSP updates rather than direct end-user installs. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit organizational device inventory to identify systems using PowerVR GPUs (common in Android-check GPU specifications in device manifests). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-22164 HIGH
7.5 Jun 08

Kernel heap memory corruption in Imagination Technologies Graphics DDK allows a non-privileged local user to crash or de
CVE-2026-34195
Jun 12

Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of

CVE-2026-41155
Jun 12

An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secur
CVE-2026-41157
Jun 12

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound

CVE-2026-41158
Jun 12

Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pa

Share

CVE-2026-34194 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy