CVE-2026-22167— GPU DDK - Cache resident PM buffers writable by other GPU requestors, leading to arbitrary write to physical memory
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-22167
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GPU DDK - Cache resident PM buffers writable by other GPU requestors, leading to arbitrary write to physical memory
Source: NVD (National Vulnerability Database)
Vulnerability Description
Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
内存缓冲区边界内操作的限制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Imagination Graphics DDK 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Imagination Graphics DDK是英国Imagination公司的一款GPU驱动工具套件。 Imagination Graphics DDK存在缓冲区错误漏洞,该漏洞源于非特权用户运行的软件可能执行不当的GPU系统调用,强制GPU写入任意物理内存页,导致内核和驱动程序使用的内存页数据被破坏,从而改变其行为,并可能对受限的内部GPU缓冲区执行写操作,最终导致任意物理内存损坏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Imagination Technologies | Graphics DDK | 1.18 RTM | - |
II. Public POCs for CVE-2026-22167
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-22167
请登录查看更多情报信息。
Same Patch Batch · Imagination Technologies · 2026-05-01 · 3 CVEs total
| CVE-2026-22166 | GPU DDK - Write UAF in KEGLGetPoolBuffers, WebGL reachable | |
| CVE-2026-22165 | GPU DDK - UAF read of GLES3Context::psDrawParams and GLES3Context::psMode and UAF read/wri |
IV. Related Vulnerabilities
Same product: Graphics DDK
- CVE-2026-22166
GPU DDK - Write UAF in KEGLGetPoolBuffers, WebGL reachable - CVE-2026-22165
GPU DDK - UAF read of GLES3Context::psDrawParams and GLES3Co - CVE-2026-21733
RESERVED - CVE-2026-22163
GPU DDK - Unsafe writing of MMU PT entries on systems with 3 - CVE-2026-21732
GPU DDK - libusc OOB write at ConvertSwitchToArrayLookupBP d
Same vendor: Imagination Technologies
- CVE-2026-22166
GPU DDK - Write UAF in KEGLGetPoolBuffers, WebGL reachable - CVE-2026-22165
GPU DDK - UAF read of GLES3Context::psDrawParams and GLES3Co - CVE-2026-21733
RESERVED - CVE-2026-22163
GPU DDK - Unsafe writing of MMU PT entries on systems with 3 - CVE-2026-21732
GPU DDK - libusc OOB write at ConvertSwitchToArrayLookupBP d
Same weakness: CWE-119
- CVE-2026-27890
Firebird has Pre-Auth DOS when Processing Out of Order CNCT_ - CVE-2026-34864
Huawei HarmonyOS 安全漏洞 - CVE-2026-4149
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code - CVE-2026-34988
Wasmtime leaks data between pooling allocator instances - CVE-2026-39892
cryptography has a buffer overflow if non-contiguous buffers
V. Comments for CVE-2026-22167
No comments yet