Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local kernel-driver access (AV:L, PR:L), TOCTOU race window raises complexity to AC:H, and out-of-bounds firmware write yields high C/I/A within an unchanged scope.
Primary rating from Vendor (imaginationtech).
CVSS VectorVendor: imaginationtech
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel.
A TOCTOU bug existed where a malicious driver could modify values in memory after firmware validation but before use.
AnalysisAI
Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets a malicious kernel driver inside a Host VM issue improper commands to the GPU firmware, causing a memory write outside the host kernel's permitted range. The flaw is a TOCTOU race in which values are altered in memory after the firmware validates them but before it uses them, bypassing the firmware's range enforcement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local, kernel-level presence: attacker-controlled kernel software or a malicious driver running inside a Host VM that can post commands to the GPU firmware. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine but locally-scoped issue rather than a mass-exploitation event. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already has kernel-level code execution inside a Host VM (via a malicious or compromised GPU driver) submits a GPU command whose parameters pass firmware validation, then races to modify the referenced memory values before the firmware consumes them, coercing the firmware into writing outside the host kernel's permitted memory range to corrupt kernel memory or disclose data. No public POC is currently referenced, and success depends on reliably winning the TOCTOU window. |
| Remediation | Patch available per vendor advisory - consult Imagination Technologies' GPU driver vulnerabilities page (https://www.imaginationtech.com/gpu-driver-vulnerabilities/) for the fixed DDK build corresponding to your release train, as no single exact fix version is enumerated in the available data and version numbers should not be invented. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: conduct an inventory of all systems and VMs using Imagination Technologies PowerVR GPU drivers to determine organizational exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Graphics Ddk
View allOut-of-bounds write in the Imagination Technologies Graphics DDK (GPU user-space driver) can be triggered when a victim
GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with
Out-of-bounds kernel write in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows a local non-privileged p
Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows
Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unpr
Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user tri
Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM
Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Ho
Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to i
Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory prote
Out-of-bounds write in Imagination Technologies' Graphics DDK GPU shader compiler lets a crafted web page containing unu
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43043
GHSA-vf2q-w6vq-3hq8