CVE-2026-41157

Vulnerability

An integer overflow vulnerability exists in the Imagination Technologies GPU Driver Development Kit (DDK) when processing unusual WebGPU content within the GPU GLES render process [1]. The software computes a required memory buffer size from untrusted input, but an integer overflow can produce a value smaller than actually needed. This leads to an out-of-bounds write in the GPU user-space driver, corrupting adjacent memory. The affected versions include DDK releases up to and including 25.2 RTM [1].

Exploitation

An attacker would need to host or inject a specially crafted web page containing malicious WebGPU content that is rendered by the GPU using the GLES render process. When the GPU driver processes this content, the integer overflow occurs during memory size calculation, and subsequent write operations exceed the allocated buffer boundary. No privileged access is required; the attack can be initiated from a non-privileged web context.

Impact

Successful exploitation results in memory corruption that can cause the browser or GPU process to crash. In more severe scenarios, the out-of-bounds write could potentially be leveraged for arbitrary code execution, though the primary documented impact is denial of service due to process instability or termination.

Mitigation

Imagination Technologies has not yet published a patched DDK release specifically for this vulnerability as of the publication date. Affected versions are DDK releases up to and including 25.2 RTM. Users should monitor the Imagination security advisory page [1] for updates and apply a fixed version once available. No workaround is currently documented.