Description
A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device.
Published: 2026-05-01
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free that occurs when a web page includes uncommon WebGPU content that is processed by the GPU GLES render process. The flaw can cause a write UAF crash and, on systems where the GPU process runs with system privileges, can serve as a foothold for further exploitation, potentially allowing an attacker to gain elevated privileges or execute arbitrary code in the context of the device.

Affected Systems

Imagination Technologies Graphics DDK. No specific driver or firmware versions are listed, so any device running this DDK on affected platforms may be vulnerable.

Risk and Exploitability

The CVSS score is 8.1, indicating a high severity vulnerability. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV. The likely attack vector is a web page containing WebGPU content that is rendered by a GPU driver executing with elevated privileges. Without an official vendor patch, the exploit risk remains high for susceptible systems because the flaw can lead to a crash that may be leveraged for privilege escalation.

Generated by OpenCVE AI on May 1, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GPU driver to the latest release from Imagination Technologies once a fix is available.
  • If a patch is not yet released, disable WebGPU support in browsers to prevent loading potentially malicious content.
  • Restrict the privileges granted to the GPU process, ensuring it does not run with system or root rights.
  • Monitor the system for GPU driver crashes or anomalous activity and set up alerts for suspicious behavior.

Generated by OpenCVE AI on May 1, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device.
Title GPU DDK - UAF read of GLES3Context::psDrawParams and GLES3Context::psMode and UAF read/write of RMJob::apsCCBs
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: imaginationtech

Published:

Updated: 2026-05-01T19:24:51.079Z

Reserved: 2026-01-06T15:50:36.205Z

Link: CVE-2026-22165

cve-icon Vulnrichment

Updated: 2026-05-01T19:23:24.981Z

cve-icon NVD

Status : Received

Published: 2026-05-01T16:16:29.437

Modified: 2026-05-01T20:16:20.890

Link: CVE-2026-22165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T23:00:14Z

Weaknesses