Graphics Ddk
Monthly
Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages. Physical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource.
A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound write in the GPU user-space driver, leading to memory corruption and possible browser/GPU process crash. The software computes a required memory size from untrusted input, but integer overflow can produce a value smaller than needed. Subsequent write operations may then occur past the intended memory boundary, corrupting adjacent memory and causing process instability or termination.
An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations in the kernel module. Additionally, an attacker could disrupt the operation of another secure GPU process leading to image corruption / GPU hardware recovery. Sharing secure memory allocations among various GPU secure processes allows an attacker to corrupt shared resource affecting other users.
Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in the kernel. The product incorrectly indexes internal state when performing sparse allocation remapping.
Local privilege escalation and integrity compromise in Imagination Technologies Graphics DDK (GPU driver) allows non-privileged users to corrupt sparse memory mapping state via improper GPU system calls, leading to out-of-bounds memory access. The flaw stems from implicit scaling errors in pointer arithmetic across buffers of differing sizes (CWE-468), affecting DDK releases 24.2 RTM, 25.1-25.3 RTM, and 26.1 RTM. No public exploit identified at time of analysis, but the local attack vector with low complexity makes this attractive for sandbox escape chains on Android/Linux devices using PowerVR GPUs.
Kernel heap memory corruption in Imagination Technologies Graphics DDK allows a non-privileged local user to crash or destabilize the kernel by issuing crafted GPU system calls. The flaw affects Graphics DDK 24.2 RTM, 25.1 RTM through 25.3 RTM, and 26.1 RTM, and impacts any device shipping the affected PowerVR/IMG GPU driver stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Arbitrary firmware memory writes in Imagination Technologies Graphics DDK affect multiple DDK versions across Guest/Host VM deployments. A logic error in GPU driver address translation permits kernel-level software within a VM to issue malformed commands to GPU firmware, causing writes to memory regions outside the intended GPU memory boundary. The Chrome OS stable channel advisory reference confirms real-world platform-level impact, and a vendor patch is available. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Local privilege escalation in Imagination Technologies Graphics DDK allows low-privileged users to modify read-only GPU memory and files through improper system call handling. Affects DDK versions 1.17 through 25.3 RTM across multiple release branches. Attack requires local access and low-level privileges but no user interaction (CVSS: 7.3). EPSS data not available; no active exploitation confirmed (SSVC: none); no public POC identified at time of analysis. Vulnerability stems from insufficient validation of GPU memory reservation protections, enabling authenticated local users to bypass kernel-enforced memory access controls.
Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory protections and write to arbitrary physical memory through race condition exploitation. This privilege escalation vulnerability affects systems using the vulnerable DDK driver and requires no user interaction to trigger. No patch is currently available.
GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with elevated privileges, affecting multiple platforms through crafted switch statements that trigger out-of-bounds writes. An attacker can exploit this vulnerability by delivering specially-crafted GPU shader code through a web page, potentially gaining system-level control on vulnerable devices. No patch is currently available for this critical vulnerability.
Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages. Physical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource.
A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound write in the GPU user-space driver, leading to memory corruption and possible browser/GPU process crash. The software computes a required memory size from untrusted input, but integer overflow can produce a value smaller than needed. Subsequent write operations may then occur past the intended memory boundary, corrupting adjacent memory and causing process instability or termination.
An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations in the kernel module. Additionally, an attacker could disrupt the operation of another secure GPU process leading to image corruption / GPU hardware recovery. Sharing secure memory allocations among various GPU secure processes allows an attacker to corrupt shared resource affecting other users.
Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in the kernel. The product incorrectly indexes internal state when performing sparse allocation remapping.
Local privilege escalation and integrity compromise in Imagination Technologies Graphics DDK (GPU driver) allows non-privileged users to corrupt sparse memory mapping state via improper GPU system calls, leading to out-of-bounds memory access. The flaw stems from implicit scaling errors in pointer arithmetic across buffers of differing sizes (CWE-468), affecting DDK releases 24.2 RTM, 25.1-25.3 RTM, and 26.1 RTM. No public exploit identified at time of analysis, but the local attack vector with low complexity makes this attractive for sandbox escape chains on Android/Linux devices using PowerVR GPUs.
Kernel heap memory corruption in Imagination Technologies Graphics DDK allows a non-privileged local user to crash or destabilize the kernel by issuing crafted GPU system calls. The flaw affects Graphics DDK 24.2 RTM, 25.1 RTM through 25.3 RTM, and 26.1 RTM, and impacts any device shipping the affected PowerVR/IMG GPU driver stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Arbitrary firmware memory writes in Imagination Technologies Graphics DDK affect multiple DDK versions across Guest/Host VM deployments. A logic error in GPU driver address translation permits kernel-level software within a VM to issue malformed commands to GPU firmware, causing writes to memory regions outside the intended GPU memory boundary. The Chrome OS stable channel advisory reference confirms real-world platform-level impact, and a vendor patch is available. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Local privilege escalation in Imagination Technologies Graphics DDK allows low-privileged users to modify read-only GPU memory and files through improper system call handling. Affects DDK versions 1.17 through 25.3 RTM across multiple release branches. Attack requires local access and low-level privileges but no user interaction (CVSS: 7.3). EPSS data not available; no active exploitation confirmed (SSVC: none); no public POC identified at time of analysis. Vulnerability stems from insufficient validation of GPU memory reservation protections, enabling authenticated local users to bypass kernel-enforced memory access controls.
Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory protections and write to arbitrary physical memory through race condition exploitation. This privilege escalation vulnerability affects systems using the vulnerable DDK driver and requires no user interaction to trigger. No patch is currently available.
GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with elevated privileges, affecting multiple platforms through crafted switch statements that trigger out-of-bounds writes. An attacker can exploit this vulnerability by delivering specially-crafted GPU shader code through a web page, potentially gaining system-level control on vulnerable devices. No patch is currently available for this critical vulnerability.