The vulnerability arises when the GPU DDK’s MMU allocation routine fails to clear page‑table pointers during error recovery, leaving dangling references to freed physical memory. An attacker running ordinary user processes can prompt the bad path by issuing malformed GPU system calls, triggering a use‑after‑free of GPU page‑table structures. This use‑after‑free (CWE‑416) can corrupt memory used by the graphics driver or, if the driver runs in privileged mode, could potentially lead to kernel‑level code execution or a denial of service.

Imagination Technologies’ Graphics DDK contains the affected code. No specific version numbers are listed, so any installation of the Graphics DDK that contains the unpatched MMU routine is potentially vulnerable.

EPSS data is not available and the vulnerability is not in the CISA KEV catalog, leaving the real exploitation probability uncertain. The CVSS score is not reported, but the nature of a use‑after‑free in the GPU driver gives the issue a high potential impact if exploited. The attack requires a local non‑privileged client that can invoke GPU system calls; the path to gain full compromise depends on whether the driver executes in kernel space. Until an official fix is released, organizations should evaluate the risk of running untrusted GPU workloads in the affected environment.