A use‑after‑free (UAF) condition occurs in the KEGLGetPoolBuffers function of Imagination Technologies’ Graphics DDK, which can be triggered by loading specially crafted WebGPU content in a web page. The vulnerability may cause a write UAF crash in the GPU GLES user‑space shared library. If the GPU process runs with system privileges, the crash could allow an attacker to gain further control over the system, potentially leading to execution of arbitrary code or other high‑impact actions. The weakness aligns with CWE‑416, indicating that memory is freed and subsequently accessed for writing.

Imagination Technologies Graphics DDK is the affected product. The impact applies to any systems where the GPU DDK is deployed and the GPU GLES render process is executed with system privileges. Specific platform or version details are not disclosed in the available information, so all installations of the DDK that support WebGPU should be considered potentially at risk.

The vulnerability can be accessed via a malicious web page that includes unusual WebGPU content, making the attack vector WebGL reachable and inferred to be remote through a browser. The CVSS score is 8.1, indicating high severity. There is no EPSS score and the issue is not listed in the CISA KEV catalog. The absence of an exploit probability metric suggests limited public exploitation data; however, the possibility of subsequent exploitation when system privileges are held means the risk is significant if an attacker can supply the malicious content. Users should evaluate whether their GPU workloads run with elevated privileges and monitor for any abnormal GPU behavior.