CVE-2026-34194

Vulnerability

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting, creating a potential use-after-free scenario. This vulnerability affects DDK Releases up to and including 25.2 RTM [1]. The product accidentally refers to the wrong memory due to the semantics of how math operations are implicitly scaled across buffers of different sizes.

Exploitation

An attacker running as a non-privileged user can trigger this vulnerability by making improper GPU system calls. The specific sequence involves exploiting the mismanagement of a mapping state maintained for a sparse memory allocation, leading to the incorrect referencing of memory across buffers of different sizes [1].

Impact

Successful exploitation of this vulnerability can lead to a use-after-free condition. This could allow an attacker to gain elevated privileges or potentially achieve arbitrary code execution on the affected system, depending on the specific context and available system resources [1].

Mitigation

The DDK kernel module has been updated to address this improper use of GPU system calls to ensure that resources cannot prematurely free whilst references exist. DDK Releases up to and including 25.2 RTM are affected. The DDK has been updated to introduce protection to prevent this information leak from taking place [1].