CVE-2026-22165: UAF in GPU DDK 1.18.0–26.1 RTM
Platform
linux
Component
imagination-technologies-gpu-ddk
Fixed in
24.2.1
CVE-2026-22165 describes a Use-After-Free (UAF) vulnerability within the GPU DDK, specifically impacting versions 1.18.0 through 26.1 RTM. This flaw arises when a web page containing unusual WebGPU content is loaded into the GPU GLES render process, leading to a crash in the GPU GLES user-space shared library. Successful exploitation, particularly on systems with elevated privileges, could lead to further malicious actions on the device. The vulnerability was published on May 1, 2026, and a fix is available in version 24.2.1.
Impact and Attack Scenarios
The core impact of CVE-2026-22165 lies in the potential for arbitrary code execution. A malicious actor could craft a web page containing specially designed WebGPU content. When this content is processed by the GPU GLES render process, the UAF vulnerability is triggered, corrupting memory. If the process has system privileges, this corruption can be leveraged to execute arbitrary code, granting the attacker control over the device. The blast radius extends to any application utilizing the vulnerable GPU DDK, making a wide range of system functions potentially accessible to an attacker. While no immediate public exploits are known, the UAF nature of the vulnerability suggests a high likelihood of exploitation once a suitable exploit is developed.
Exploitation Context
CVE-2026-22165 is not currently listed on the KEV (Kernel Exploit Vulnerability) database. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. No public Proof-of-Concept (POC) code has been released as of the publication date. While no active campaigns targeting this vulnerability have been observed, the UAF nature of the vulnerability makes it a likely target for future exploitation. Refer to the vendor advisory for further details and updates.
Threat Intelligence
Exploit Status
EPSS
0.01% (3% percentile)
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-22165 is to upgrade the GPU DDK to version 24.2.1 or later. If an immediate upgrade is not feasible due to compatibility issues or system downtime requirements, consider implementing temporary workarounds. While a direct WAF rule targeting the specific WebGPU content triggering the vulnerability is unlikely to be practical, restricting the execution of untrusted WebGPU content within the browser could offer some protection. Regularly review and update browser security settings to ensure the latest security patches are applied. After upgrading to version 24.2.1, verify the fix by attempting to load the triggering WebGPU content and confirming that the crash no longer occurs.
How to fix
Actualice el driver de GPU DDK a la versión 24.2.1 o posterior para mitigar la vulnerabilidad de uso después de liberar (UAF). Verifique la documentación de Imagination Technologies para obtener instrucciones específicas de actualización para su plataforma y configuración. Asegúrese de aplicar las actualizaciones de seguridad más recientes para su sistema operativo y hardware.
Frequently asked questions
What is CVE-2026-22165 — UAF in GPU DDK 1.18.0–26.1 RTM?
CVE-2026-22165 is a Use-After-Free vulnerability in the GPU DDK affecting versions 1.18.0 through 26.1 RTM. It's triggered by unusual WebGPU content, potentially allowing attackers to execute code on devices with system privileges.
Am I affected by CVE-2026-22165 in GPU DDK 1.18.0–26.1 RTM?
You are affected if your system runs GPU DDK versions 1.18.0 to 26.1 RTM and processes WebGPU content. Check your GPU DDK version and upgrade if necessary.
How do I fix CVE-2026-22165 in GPU DDK 1.18.0–26.1 RTM?
Upgrade the GPU DDK to version 24.2.1 or later. If immediate upgrade isn't possible, consider temporary workarounds like restricting untrusted WebGPU content.
Is CVE-2026-22165 being actively exploited?
No active campaigns have been observed as of the publication date, but the UAF nature of the vulnerability suggests a potential for future exploitation.
Where can I find the official GPU DDK advisory for CVE-2026-22165?
Refer to the vendor's official security advisory page for the latest information and updates regarding CVE-2026-22165 and the GPU DDK.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...