Scan free
Pending AnalysisCVE-2026-22166

CVE-2026-22166: UAF in GPU DDK 1.18.0–26.1 RTM

Platform

linux

Component

gpu-ddk

View on NVD
Save

CVE-2026-22166 describes a Use-After-Free (UAF) vulnerability discovered in the GPU DDK component. This flaw arises when a web page containing atypical WebGPU content is processed by the GPU GLES render process, triggering a crash within the GPU GLES user-space shared library. Affected versions include 1.18.0–26.1 RTM; a fix is pending from the vendor.

Impact and Attack Scenarios

The core impact of CVE-2026-22166 lies in its potential for remote code execution (RCE) on systems with elevated privileges. An attacker could craft a malicious web page containing specially designed WebGPU content. When this content is loaded and processed by the GPU DDK, the UAF condition is triggered, leading to a crash. If the process handling the graphics workload has system privileges, this crash can be leveraged to execute arbitrary code, effectively compromising the entire system. The blast radius is significant, potentially affecting any application utilizing the vulnerable GPU DDK, especially those handling user-supplied WebGPU content. This vulnerability shares similarities with other UAF exploits where memory corruption can be chained to achieve RCE.

Exploitation Context

CVE-2026-22166 was published on 2026-05-01. The EPSS score is pending evaluation, but the potential for RCE suggests a medium to high probability of exploitation if a public exploit is developed. Currently, no public Proof-of-Concept (POC) code is known. The vulnerability is not listed on KEV (Kernel Exploitability Enumeration) as of this writing. Monitor NVD and CISA advisories for updates and potential exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO

EPSS

0.01% (3% percentile)

Affected Software

Componentgpu-ddk
VendorImagination Technologies
Minimum version1.18.0
Maximum version26.1 RTM

Weakness Classification (CWE)

CWE-416

Timeline

  1. Published
  2. EPSS updated

Mitigation and Workarounds

Due to the lack of a fixed version, mitigation strategies focus on reducing the attack surface and limiting potential damage. The primary approach is to restrict the loading and execution of untrusted WebGPU content. This can be achieved through stricter content filtering policies within web applications and browsers. Reviewing and minimizing the privileges granted to processes handling graphics workloads is also crucial. Consider implementing sandboxing techniques to isolate graphics processing from the rest of the system. While a direct detection signature is difficult to create, monitoring for unexpected GPU GLES library crashes and unusual WebGPU activity can provide early warning signs. Regularly review and update security policies related to web content and privilege management. After implementing these mitigations, verify the system's stability by testing with various WebGPU applications and observing GPU performance.

How to fix

Aplica las actualizaciones de seguridad proporcionadas por Imagination Technologies para la GPU DDK. Consulta el sitio web de Imagination Technologies para obtener más detalles y las versiones corregidas: https://www.imaginationtech.com/gpu-driver-vulnerabilities/

Frequently asked questions

What is CVE-2026-22166 — UAF in GPU DDK 1.18.0–26.1 RTM?

CVE-2026-22166 is a Use-After-Free vulnerability in the GPU DDK component, affecting versions 1.18.0–26.1 RTM. It arises from processing unusual WebGPU content, potentially leading to a system crash and exploitation.

Am I affected by CVE-2026-22166 in GPU DDK 1.18.0–26.1 RTM?

If you are using GPU DDK versions 1.18.0–26.1 RTM and your system processes WebGPU content, you are potentially affected. Assess your WebGPU usage and privilege configurations.

How do I fix CVE-2026-22166 in GPU DDK 1.18.0–26.1 RTM?

A fixed version is currently unavailable. Mitigation involves restricting WebGPU content, reviewing system privileges, and monitoring for crashes. Stay informed about vendor updates.

Is CVE-2026-22166 being actively exploited?

As of now, there are no known public exploits or active campaigns targeting CVE-2026-22166. However, the potential for RCE warrants vigilance.

Where can I find the official GPU DDK advisory for CVE-2026-22166?

Refer to the vendor's official security advisory page for GPU DDK. Check their website and security bulletins for updates related to CVE-2026-22166.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...