This vulnerability occurs when the Graphics DDK fails to process backed sparse PMRs with the deferred free mechanism, leaving freed physical pages accessible to the GPU after the kernel module has released them. A non‑privileged process can therefore issue GPU system calls that write to these arbitrarily freed pages. The resulting arbitrary memory write can corrupt kernel or driver memory, potentially enabling local privilege escalation or arbitrary code execution. The weakness corresponds to a use‑after‑free flaw (CWE‑416).

The affected component is Imagination Technologies’ Graphics DDK driver. No version range was specified in the advisory, implying that the flaw may be present in multiple releases of the driver. Systems running the Graphics DDK on any platform that exposes the undocumented PMR handling to non‑privileged users are potentially impacted.

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of real‑world exploitation is currently unclear. However, because the flaw permits an arbitrary write from a local user to kernel memory, the severity is high and the potential for privilege escalation is significant. Attackers would need local access with the ability to load or invoke GPU system calls, which is generally granted to all users in typical deployments. Without mitigations such as kernel hardening or driver updates, the risk remains high.