Description
Kernel software installed and running inside a Guest/Host VM may post improper commands to the GPU Firmware to trigger a write of data outside the intended GPU memory.



A logic error in the address translation allowed a compromised Host (Kernel) to perform arbitrary writes to firmware memory.
Published: 2026-06-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in the address translation function rgxfw_to_ptr() within the GPU DDK allows a compromised kernel running on a host or guest VM to send malformed commands to the GPU firmware, resulting in arbitrary writes to firmware memory. Based on the description, it is inferred that the flaw originates from insufficient pointer validation and could enable an attacker to overwrite firmware code or data, potentially leading to arbitrary code execution or privilege escalation on the host or guest system.

Affected Systems

Vendors affected are Imagination Technologies Graphics DDK. Specific product or version information is not specified in the data, so any installation of the Graphics DDK that includes rgxfw_to_ptr() is potentially vulnerable. Based on the description, it is inferred that the lack of version specifics means all such installations are at risk.

Risk and Exploitability

Based on the description, it is inferred that the exploit requires the attacker to control or compromise kernel-level code on the host or guest VM. The CVSS score of 4.3 indicates a medium severity but the flaw allows arbitrary firmware memory writes, which could be leveraged for privilege escalation. The vulnerability is not listed in the CISA KEV catalog, indicating that known public exploits are not yet confirmed, but the lack of mitigation or patch information implies a high likelihood of exploitation if the flaw remains unpatched.

Generated by OpenCVE AI on June 1, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Imagination Technologies Graphics DDK firmware or driver update when available, which is expected to include proper pointer validation in rgxfw_to_ptr().
  • Restrict kernel-level access to the GPU by limiting GPU firmware interface exposure to trusted processes, particularly in virtualized environments where a compromised host kernel could otherwise influence guest GPU operations.
  • Conduct a code review or static analysis of the address translation logic in rgxfw_to_ptr() to ensure pointers are validated against the firmware memory bounds, and implement additional bounds checking or sandboxing as a workaround until a patch is released.

Generated by OpenCVE AI on June 1, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Imaginationtech
Imaginationtech graphics Ddk
Vendors & Products Imaginationtech
Imaginationtech graphics Ddk

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description Kernel software installed and running inside a Guest/Host VM may post improper commands to the GPU Firmware to trigger a write of data outside the intended GPU memory. A logic error in the address translation allowed a compromised Host (Kernel) to perform arbitrary writes to firmware memory.
Title GPU DDK - Arbitrary write via UFO updates due insufficient pointer validation in rgxfw_to_ptr()
Weaknesses CWE-823
References

Subscriptions

Imaginationtech Graphics Ddk
cve-icon MITRE

Status: PUBLISHED

Assigner: imaginationtech

Published:

Updated: 2026-06-01T14:29:23.685Z

Reserved: 2026-03-26T13:47:30.669Z

Link: CVE-2026-34193

cve-icon Vulnrichment

Updated: 2026-06-01T14:28:29.805Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T13:16:31.460

Modified: 2026-06-01T17:07:57.203

Link: CVE-2026-34193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:15:16Z

Weaknesses
  • CWE-823

    Use of Out-of-range Pointer Offset