Skip to main content

Imagination Graphics DDK CVE-2026-41156

| EUVDEUVD-2026-38002 HIGH
Use After Free (CWE-416)
2026-06-19 imaginationtech GHSA-fpwh-r7hr-w6hc
7.7
CVSS 3.1 · Vendor: imaginationtech
Share

Severity by source

Vendor (imaginationtech) PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
6.3 MEDIUM

Local unprivileged user must access GPU device nodes (PR:L) and win a CPU/GPU race (AC:H); kernel memory corruption yields high integrity and availability impact, no direct confidentiality loss.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (imaginationtech).

CVSS VectorVendor: imaginationtech

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 22, 2026 - 21:30 vuln.today
CVSS changed
Jun 22, 2026 - 19:24 NVD
7.7 (HIGH)
CVE Published
Jun 19, 2026 - 09:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources creating a write use after free scenario.

A shared resource (memory page) managed by a CPU thread of control (driver) and accessed by a GPU thread of control (Firmware) can cause a write UAF when the CPU thread frees the resource before the GPU FW has finished accessing it.

AnalysisAI

Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-free between the CPU-side driver and GPU firmware, where the driver frees a shared memory page before the GPU firmware finishes accessing it. Any unprivileged local user able to issue GPU system calls can trigger the race against multiple released DDK branches (1.18, 23.2, 24.2, 25.1-25.3, 26.1). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain unprivileged local code execution
Delivery
Open GPU device node
Exploit
Issue crafted GPU syscalls to share memory page
Execution
Race CPU free against GPU FW write
Persist
Reallocate freed page with attacker data
Impact
Corrupt kernel state for EoP or DoS

Vulnerability AssessmentAI

Exploitation Attacker must already have local code execution as an unprivileged user on a device running an affected Imagination Graphics DDK branch (1.18, 23.2, 24.2, 25.1-25.3, or 26.1 RTM) with access to the PowerVR/IMG GPU device nodes that expose the vulnerable GPU system calls - typical on Android handsets, embedded Linux, and other SoC platforms shipping PowerVR GPUs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H reflects a local, low-complexity, unauthenticated-from-userspace flaw with high integrity and availability impact but no direct confidentiality loss - consistent with a kernel memory-corruption primitive usable for DoS and likely privilege escalation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained any local unprivileged code execution on an affected device - for example through a malicious app on a PowerVR-based mobile or embedded system - issues a crafted sequence of GPU ioctls that causes the kernel DDK to free a memory page while GPU firmware is still writing to it, then races to reallocate the page with attacker-controlled kernel objects to corrupt kernel state for privilege escalation or to crash the system. No public exploit is identified at time of analysis, and SSVC rates the flaw as not automatable, reflecting the timing race between CPU and GPU firmware that the attacker must win.
Remediation Patch available per vendor advisory - consult Imagination's GPU driver vulnerabilities page at https://www.imaginationtech.com/gpu-driver-vulnerabilities/ for the fixed DDK revision corresponding to each affected branch (1.18, 23.2, 24.2, 25.1-25.3, 26.1) and coordinate with your SoC vendor or device OEM, since DDK updates typically ship via platform BSPs rather than direct end-user installs. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running Imagination Graphics DDK versions 1.18, 23.2, 24.2, 25.1-25.3, or 26.1 and verify local user access controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-41157 CRITICAL
9.8 Jun 12

Out-of-bounds write in the Imagination Technologies Graphics DDK (GPU user-space driver) can be triggered when a victim

CVE-2026-21732 CRITICAL
9.6 Mar 20

GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with

CVE-2026-34195 HIGH
8.8 Jun 12

Out-of-bounds kernel write in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows a local non-privileged p

CVE-2026-41154 HIGH
7.8 Jul 10

Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows

CVE-2026-7639 HIGH
7.8 Jul 10

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unpr

CVE-2026-34196 HIGH
7.8 Jul 10

Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user tri

CVE-2026-45196 HIGH
7.8 Jul 10

Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM

CVE-2026-45203 HIGH
7.8 Jul 10

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets

CVE-2026-45195 HIGH
7.8 Jun 26

Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Ho

CVE-2026-41158 HIGH
7.8 Jun 12

Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to i

CVE-2026-22163 HIGH
7.8 Mar 20

Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory prote

CVE-2026-21734 HIGH
7.7 Jun 26

Out-of-bounds write in Imagination Technologies' Graphics DDK GPU shader compiler lets a crafted web page containing unu

Share

CVE-2026-41156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy