CVE-2026-22165: GPU GLES Write UAF in GPU DDK
Plattform
linux
Komponente
imagination-technologies-gpu-ddk
Behoben in
24.2.1
CVE-2026-22165 is a security vulnerability affecting the GPU DDK, impacting versions 1.18.0 through 26.1 RTM. A web page containing unusual WebGPU content, when loaded into the GPU GLES render process, can trigger a write Use-After-Free (UAF) crash within the GPU GLES user-space shared library. A fix is available in version 24.2.1.
Auswirkungen und Angriffsszenarien
Successful exploitation of CVE-2026-22165 can lead to a crash of the GPU GLES user-space shared library. On systems with system privileges, this crash could potentially be leveraged to achieve further exploits, leading to privilege escalation or arbitrary code execution. The vulnerability arises from improper memory management when handling unusual WebGPU content, creating a scenario where a memory location is accessed after it has been freed. The potential for remote code execution depends on the specific platform and the privileges of the process executing the graphics workload.
Ausnutzungskontext
CVE-2026-22165 was published on 2026-05-01. The CVSS score is pending evaluation. The availability of public proof-of-concept (POC) code is currently unknown. Monitor security advisories and threat intelligence feeds for any indications of active exploitation. The vulnerability involves a UAF condition, which is a common attack vector, suggesting a potential for exploitation.
Bedrohungsanalyse
Exploit-Status
EPSS
0.01% (3% Perzentil)
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Veröffentlicht
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2026-22165 is to upgrade the GPU DDK to version 24.2.1 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing stricter input validation for WebGPU content and limiting the privileges of processes executing graphics workloads. WAF rules could be implemented to block requests containing suspicious WebGPU content. After upgrading, confirm the fix by attempting to load a known malicious WebGPU page and verifying that the crash no longer occurs.
So behebenwird übersetzt…
Actualice el driver de GPU DDK a la versión 24.2.1 o posterior para mitigar la vulnerabilidad de uso después de liberar (UAF). Verifique la documentación de Imagination Technologies para obtener instrucciones específicas de actualización para su plataforma y configuración. Asegúrese de aplicar las actualizaciones de seguridad más recientes para su sistema operativo y hardware.
Häufig gestellte Fragen
Was ist CVE-2026-22165 in GPU DDK?
It's a GPU DDK vulnerability leading to a write UAF crash when loading unusual WebGPU content.
Bin ich von CVE-2026-22165 in GPU DDK betroffen?
If you're using GPU DDK versions 1.18.0 through 26.1 RTM, you are potentially affected.
Wie behebe ich CVE-2026-22165 in GPU DDK?
Upgrade the GPU DDK to version 24.2.1 or later to resolve the vulnerability.
Wird CVE-2026-22165 aktiv ausgenutzt?
Currently, there are no public reports of active exploitation.
Wo finde ich den offiziellen GPU DDK-Hinweis für CVE-2026-22165?
Refer to the vendor's security advisory and the NVD entry for CVE-2026-22165.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...