High severity8.1NVD Advisory· Published Apr 12, 2026· Updated Apr 16, 2026

CVE-2026-40393

Description

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

Affected products

Mesa3d/Mesa2 versions
cpe:2.3:a:mesa3d:mesa:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mesa3d:mesa:*:*:*:*:*:*:*:*range: <25.3.6
- cpe:2.3:a:mesa3d:mesa:26.0.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.freedesktop.org/archives/mesa-dev/2026-February/226597.htmlnvdIssue TrackingMailing List

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000