Skip to main content

Imagination Graphics DDK CVE-2026-34196

| EUVDEUVD-2026-43032 HIGH
Use After Free (CWE-416)
2026-07-10 imaginationtech GHSA-54wp-4fgx-pxg4
7.8
CVSS 3.1 · Vendor: imaginationtech
Share

Severity by source

Vendor (imaginationtech) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Attacker runs local unprivileged code (AV:L, PR:L) via straightforward GPU syscalls (AC:L, UI:N); the read/write UAF over reallocated memory yields full C:H/I:H/A:H within an unchanged scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (imaginationtech).

CVSS VectorVendor: imaginationtech

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:30 vuln.today
CVSS changed
Jul 13, 2026 - 19:22 NVD
7.8 (HIGH)
CVE Published
Jul 10, 2026 - 20:42 cve.org
HIGH 7.8
CVE Published
Jul 10, 2026 - 20:42 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an integer overflow and map two GPU virtual addresses to the same physical address. One of these virutal mappings can be freed along with the physical page, allowing for a read/write UAF via the second mapping

The second virtual mapping references a physical address that has been freed after the first virtual mapping has been freed. This allows the physical memory to be allocated (for example) by another process and read/written to.

AnalysisAI

Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user trigger a use-after-free by abusing an integer overflow in GPU memory-mapping system calls. The flaw allows two GPU virtual addresses to alias the same physical page; freeing one mapping releases the page while the second dangling mapping retains read/write access, enabling cross-process memory disclosure and corruption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Run unprivileged code on device
Delivery
Issue crafted GPU mapping syscalls
Exploit
Integer overflow aliases two VAs to one page
Install
Free first mapping and backing page
C2
Freed page reallocated to victim
Execute
Read/write via dangling second mapping
Impact
Escalate privileges or leak data

Vulnerability AssessmentAI

Exploitation Requires the attacker to already run code as a local non-privileged user on a device whose kernel loads a vulnerable Imagination Graphics DDK build (1.18 RTM2, 23.2 RTM2, 24.2 RTM2, 25.1 RTM2-25.3 RTM, or 26.1 RTM1) and to have access to the PowerVR GPU device interface to issue the mapping system calls. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8 High) is internally consistent and matches the description: exploitation needs only local access as an already-running non-privileged process, with low complexity and no user interaction, yielding full confidentiality, integrity and availability impact within an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised non-privileged app on a device using the vulnerable PowerVR DDK issues crafted GPU mapping system calls that overflow an internal size calculation, creating two GPU virtual mappings aliased to one physical page. The app frees the first mapping (releasing the physical page), lets the kernel reallocate that page to another process or privileged structure, then reads and writes it through the still-valid second mapping to leak secrets or corrupt memory toward privilege escalation. …
Remediation Upgrade the Graphics DDK to a fixed release as directed by Imagination's advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/; the input data does not list an exact fixed version, so the specific patched build should be taken as vendor-confirmed only once obtained from that advisory (no independently verified fix version is available here). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, execute a hardware inventory to identify all systems running Imagination Technologies PowerVR GPU drivers, including mobile endpoints and embedded systems in your organization's asset database. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-41157 CRITICAL
9.8 Jun 12

Out-of-bounds write in the Imagination Technologies Graphics DDK (GPU user-space driver) can be triggered when a victim

CVE-2026-21732 CRITICAL
9.6 Mar 20

GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with

CVE-2026-34195 HIGH
8.8 Jun 12

Out-of-bounds kernel write in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows a local non-privileged p

CVE-2026-41154 HIGH
7.8 Jul 10

Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows

CVE-2026-7639 HIGH
7.8 Jul 10

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unpr

CVE-2026-45196 HIGH
7.8 Jul 10

Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM

CVE-2026-45203 HIGH
7.8 Jul 10

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets

CVE-2026-45195 HIGH
7.8 Jun 26

Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Ho

CVE-2026-41158 HIGH
7.8 Jun 12

Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to i

CVE-2026-22163 HIGH
7.8 Mar 20

Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory prote

CVE-2026-21734 HIGH
7.7 Jun 26

Out-of-bounds write in Imagination Technologies' Graphics DDK GPU shader compiler lets a crafted web page containing unu

CVE-2026-41156 HIGH
7.7 Jun 19

Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-

Share

CVE-2026-34196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy