Skip to main content

Mesa CVE-2026-40393

| EUVDEUVD-2026-21737 CRITICAL
Out-of-bounds Write (CWE-787)
2026-04-12 mitre
9.8
CVSS 3.1 · NVD
Temporal: 8.1
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
8.1 HIGH
cvss
vuln.today AI
7.5 HIGH

WebGPU is reachable from untrusted web/guest content (AV:N/PR:N), but triggering the alloca needs crafted content the victim loads, giving UI:R and AC:H; stack corruption yields high C/I/A.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

13
Analysis Updated
Jul 13, 2026 - 10:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 13, 2026 - 10:28 vuln.today
v2 (cvss_changed)
Severity Changed
Jul 13, 2026 - 10:22 NVD
HIGH CRITICAL
CVSS changed
Jul 13, 2026 - 10:22 NVD
8.1 (HIGH) 9.8 (CRITICAL)
Re-analysis Queued
Apr 16, 2026 - 16:22 vuln.today
cvss_changed
Patch released
Apr 16, 2026 - 16:17 nvd
Patch available
Analysis Updated
Apr 16, 2026 - 05:57 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
25.3.6,26.0.1
Analysis Generated
Apr 12, 2026 - 19:24 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 19:15 euvd
EUVD-2026-21737
Analysis Generated
Apr 12, 2026 - 19:15 vuln.today
CVE Published
Apr 12, 2026 - 18:49 nvd
HIGH 8.1

DescriptionNVD

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

AnalysisAI

Out-of-bounds memory access in the WebGPU implementation of Mesa (fixed in 25.3.6 and 26.0.1) lets an attacker who can submit WebGPU workloads corrupt memory, because a to-be-allocated buffer size is taken from an untrusted party and passed to alloca, producing a stack-based out-of-bounds write (CWE-787). The CVSS 9.8 rating reflects total technical impact, but there is no public exploit identified at time of analysis and EPSS is very low at 0.04%, indicating a serious memory-corruption bug that is not yet being exploited. SUSE and Debian LTS have already shipped fixed packages.

Technical ContextAI

Mesa is the dominant open-source graphics stack on Linux, providing OpenGL, Vulkan, and now WebGPU implementations across essentially all common GPU drivers (Intel, AMD, and others). The flaw is in Mesa's WebGPU code path, where the number of bytes to allocate is derived from data controlled by an untrusted requester and then handed to alloca(), which reserves memory on the stack. Because alloca performs no bounds checking and stack allocation cannot fail gracefully, an attacker-influenced size causes an out-of-bounds write (CWE-787, tagged in the input as Buffer Overflow / Memory Corruption). WebGPU is specifically designed to expose GPU compute and rendering to less-trusted contexts such as web content or virtualized guests, which is why an untrusted party is able to influence the allocation size at all. The single affected CPE is cpe:2.3:a:mesa3d:mesa.

RemediationAI

Upgrade Mesa to a fixed release: 25.3.6 or later on the 25.x branch, or 26.0.1 or later on the 26.x branch (Vendor-released patch: Mesa 25.3.6 / 26.0.1; upstream fix in merge request https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866, announced at https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html). On distributions, apply the vendor packages - SUSE via SUSE-SU-2026:1343 (https://www.suse.com/support/update/SUSE-SU-2026:1343/) and Debian LTS per https://lists.debian.org/debian-lts-announce/2026/07/msg00021.html. If you cannot patch immediately, reduce exposure by not enabling or exposing the WebGPU code path to untrusted input - for example avoid enabling WebGPU/experimental GPU acceleration for untrusted web content or guest VMs, and restrict which untrusted contexts can submit GPU workloads; the trade-off is loss of WebGPU-accelerated functionality for those workloads. After upgrading, restart affected browsers, compositors, or services so the new Mesa libraries are loaded.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

CVE-2026-40393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy