Description
A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device.



An edge case using a very small value in GPU shader code can cause a segmentation fault in the GPU shader compiler due to am out-of-bounds write.
Published: 2026-06-26
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an out‑of‑bounds write in the libusc GPU shader compiler library when a web page containing unusually small shader code triggers the GPU compiler process. The resulting segmentation fault can occur during WebGPU shader compilation, and on platforms where the compiler process runs with system privileges, the flaw could be leveraged to gain higher authority on the device or to facilitate further malicious actions. The weakness is a classic out‑of‑bounds write as identified by CWE‑823.

Affected Systems

Imagination Technologies Graphics DDK – version information not specified. The vulnerability affects devices that use the Imagination Technologies GPU driver set (Graphics DDK) on platforms where the GPU compiler process runs with system‑level privileges, such as certain embedded or desktop operating systems.

Risk and Exploitability

The CVSS score for this vulnerability is 7.7, indicating high severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. The lack of an available public exploit means the real‑world exploitation likelihood is uncertain. However, on systems where the GPU compiler runs with elevated privileges, an attacker who can supply malicious WebGPU shader code could trigger the out‑of‑bounds write to gain higher authority on the device. The severity therefore hinges on the privilege level of the compiler process and the exposure to untrusted web content.

Generated by OpenCVE AI on June 26, 2026 at 22:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Imagination Technologies’ official GPU driver vulnerability page for any available patch; apply promptly when released.
  • Reduce exposure by disabling or restricting WebGPU and other GPU‑accelerated graphics features in browsers or operating systems so that untrusted web pages cannot trigger GPU shader compilation.
  • Monitor system logs for GPU compiler crashes or abnormal shader compilation activity, and investigate any incidents that involve unexpected segmentation faults in the GPU driver process.

Generated by OpenCVE AI on June 26, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. An edge case using a very small value in GPU shader code can cause a segmentation fault in the GPU shader compiler due to am out-of-bounds write.
Title GPU DDK - libusc OOB write at TreeRemove during WebGPU shader compilation
Weaknesses CWE-823
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: imaginationtech

Published:

Updated: 2026-06-26T19:13:09.026Z

Reserved: 2026-01-05T11:57:27.258Z

Link: CVE-2026-21734

cve-icon Vulnrichment

Updated: 2026-06-26T19:13:02.620Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:15:06Z

Weaknesses
  • CWE-823

    Use of Out-of-range Pointer Offset