Skip to main content

Imagination Graphics DDK CVE-2026-45196

| EUVDEUVD-2026-43039 HIGH
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
2026-07-10 imaginationtech GHSA-5xwh-rf6v-6cj6
7.8
CVSS 3.1 · Vendor: imaginationtech
Share

Severity by source

Vendor (imaginationtech) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.7 MEDIUM

AV:L because exploitation is local via the GPU command interface, and PR:H because it requires attacker-controlled kernel software inside the Host VM; high C/I/A from privilege escalation across the GPU boundary.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (imaginationtech).

CVSS VectorVendor: imaginationtech

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:30 vuln.today
CVSS changed
Jul 13, 2026 - 19:22 NVD
7.8 (HIGH)
CVE Published
Jul 10, 2026 - 20:53 cve.org
HIGH 7.8
CVE Published
Jul 10, 2026 - 20:53 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a GPU register access which can lead to privilege escalation.

AnalysisAI

Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM to post malformed commands to the GPU firmware, forcing an improper GPU register access that can be leveraged to gain elevated privileges. The flaw (CWE-280, improper handling of permissions) affects multiple DDK release branches from 1.18 through 26.1 and is rated CVSS 7.8 (local, low complexity). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain kernel-level code execution in Host VM
Delivery
Craft improper GPU firmware commands
Exploit
Submit commands to trigger illegal GPU register access
Execution
Bypass privilege boundary
Impact
Escalate privileges on host

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already be running kernel software inside a Host VM on a system using the affected Imagination Graphics DDK, and to have a path to submit commands to the GPU firmware command interface - i.e., local access to the GPU driver/firmware channel, not remote or unauthenticated access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are consistent and point to a real but locally-scoped privilege-escalation risk rather than a remotely exploitable emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can execute kernel-mode code inside a Host VM on an affected PowerVR platform crafts and submits malformed commands to the GPU firmware, causing an improper GPU register access that escalates their privileges beyond the intended boundary. Because the attack vector is local with low complexity and no user interaction, exploitation is deterministic once the attacker has the required kernel foothold; no public exploit code is identified at time of analysis.
Remediation Update the Imagination Graphics DDK to a fixed release for your branch as published by the vendor; consult the Imagination GPU driver vulnerabilities advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/ for the patched build corresponding to your DDK line (1.18, 23.2, 24.2, 25.x, or 26.1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Complete an inventory of all systems running Imagination Technologies Graphics DDK versions 1.18 through 26.1, with emphasis on virtualized and multi-tenant GPU deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-41157 CRITICAL
9.8 Jun 12

Out-of-bounds write in the Imagination Technologies Graphics DDK (GPU user-space driver) can be triggered when a victim

CVE-2026-21732 CRITICAL
9.6 Mar 20

GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with

CVE-2026-34195 HIGH
8.8 Jun 12

Out-of-bounds kernel write in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows a local non-privileged p

CVE-2026-41154 HIGH
7.8 Jul 10

Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows

CVE-2026-7639 HIGH
7.8 Jul 10

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unpr

CVE-2026-34196 HIGH
7.8 Jul 10

Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user tri

CVE-2026-45203 HIGH
7.8 Jul 10

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets

CVE-2026-45195 HIGH
7.8 Jun 26

Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Ho

CVE-2026-41158 HIGH
7.8 Jun 12

Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to i

CVE-2026-22163 HIGH
7.8 Mar 20

Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory prote

CVE-2026-21734 HIGH
7.7 Jun 26

Out-of-bounds write in Imagination Technologies' Graphics DDK GPU shader compiler lets a crafted web page containing unu

CVE-2026-41156 HIGH
7.7 Jun 19

Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-

Share

CVE-2026-45196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy