CVE-2026-34196 PUBLISHED

GPU DDK - UAF read and/or write of arbitrary physical memory due to integer truncation in PMRDevPhysAddrOSMem

Assigner: imaginationtech
Reserved: 26.03.2026 Published: 10.07.2026 Updated: 10.07.2026

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an integer overflow and map two GPU virtual addresses to the same physical address. One of these virutal mappings can be freed along with the physical page, allowing for a read/write UAF via the second mapping

The second virtual mapping references a physical address that has been freed after the first virtual mapping has been freed. This allows the physical memory to be allocated (for example) by another process and read/written to.

Product Status

Vendor Imagination Technologies
Product Graphics DDK
Versions Default: unknown
  • Version 1.18 RTM2 is affected
  • Version 23.2 RTM2 is affected
  • Version 24.2 RTM2 is affected
  • affected from 25.1 RTM2 to 25.3 RTM (incl.)
  • Version 26.1 RTM1 is affected
  • Version 26.1 RTM2 is unaffected

References

Problem Types

  • CWE-416: Use After Free CWE

Impacts

  • CAPEC-124: Shared Resource Manipulation