Skip to main content

Mesa

5 CVEs product

Monthly

CVE-2026-40393 CRITICAL PATCH Act Now

Out-of-bounds memory access in the WebGPU implementation of Mesa (fixed in 25.3.6 and 26.0.1) lets an attacker who can submit WebGPU workloads corrupt memory, because a to-be-allocated buffer size is taken from an untrusted party and passed to alloca, producing a stack-based out-of-bounds write (CWE-787). The CVSS 9.8 rating reflects total technical impact, but there is no public exploit identified at time of analysis and EPSS is very low at 0.04%, indicating a serious memory-corruption bug that is not yet being exploited. SUSE and Debian LTS have already shipped fixed packages.

Buffer Overflow Memory Corruption Mesa
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-29075 HIGH PATCH This Week

Unsafe checkout of untrusted code in Mesa's benchmarks.yml GitHub Actions workflow prior to version 3.5.1 enables arbitrary code execution with elevated privileges on CI/CD runners. An attacker can exploit this by submitting malicious pull requests to execute commands in the privileged runner environment, potentially compromising the build pipeline and downstream users. A patch is available in commit c35b8cd.

Python AI / ML Mesa
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2019-5068 MEDIUM POC PATCH This Month

An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Mesa Leap Debian Linux Ubuntu Linux
NVD
CVSS 3.1
4.4
EPSS
0.5%
CVE-2013-1872 MEDIUM This Month

The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Intel Denial Of Service RCE Mesa +3
NVD
CVSS 2.0
6.8
EPSS
1.1%
CVE-2013-1993 MEDIUM This Month

Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Mesa Libglx
NVD
CVSS 2.0
6.8
EPSS
2.0%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds memory access in the WebGPU implementation of Mesa (fixed in 25.3.6 and 26.0.1) lets an attacker who can submit WebGPU workloads corrupt memory, because a to-be-allocated buffer size is taken from an untrusted party and passed to alloca, producing a stack-based out-of-bounds write (CWE-787). The CVSS 9.8 rating reflects total technical impact, but there is no public exploit identified at time of analysis and EPSS is very low at 0.04%, indicating a serious memory-corruption bug that is not yet being exploited. SUSE and Debian LTS have already shipped fixed packages.

Buffer Overflow Memory Corruption Mesa
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Unsafe checkout of untrusted code in Mesa's benchmarks.yml GitHub Actions workflow prior to version 3.5.1 enables arbitrary code execution with elevated privileges on CI/CD runners. An attacker can exploit this by submitting malicious pull requests to execute commands in the privileged runner environment, potentially compromising the build pipeline and downstream users. A patch is available in commit c35b8cd.

Python AI / ML Mesa
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM POC PATCH This Month

An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Mesa Leap +2
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Intel Denial Of Service +5
NVD
EPSS 2% CVSS 6.8
MEDIUM This Month

Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Mesa Libglx
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy