CVE-2026-34195

Vulnerability

An out-of-bounds write vulnerability exists in the Imagination Technologies GPU Device Driver Kit (DDK) kernel module. The product incorrectly indexes internal state when performing sparse allocation remapping, allowing a non-privileged user to trigger a write past allocated boundaries by making intentional GPU sparse memory API calls. The affected versions are not explicitly disclosed in the available reference [1], but the vulnerability resides in the kernel component of the DDK.

Exploitation

An attacker must have local non-privileged user access to the system to interact with the GPU device. By crafting specific sparse memory API calls, they can cause the driver to use incorrect indices during remapping, leading to an out-of-bounds write in kernel memory. No additional user interaction or special privileges are required beyond the ability to issue GPU API calls.

Impact

Successful exploitation enables the attacker to write controlled data past allocated buffers in kernel memory. This can corrupt kernel structures, potentially resulting in privilege escalation, arbitrary code execution at the kernel level, or system instability.

Mitigation

As of the publication date, no official fix for CVE-2026-34195 has been disclosed in the vendor advisory [1]. Users should monitor Imagination Technologies for updated DDK releases. In the interim, restrict access to GPU API calls to trusted users and applications as a general defense-in-depth measure.