CRITICAL🇵🇱 Wersja polska

CVE-2025-13952

CVSS 9.8v3.1pub. 2026-01-24upd. 2026-01-28

A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object.

🤖 AI Analysis
How it works

A website containing unusual GPU shader code is loaded into the GPU compiler process. The shader code triggers an execution path in the compiler that stores an outdated pointer referencing an already freed object in memory. This results in a write to a freed memory area (write use-after-free), causing a crash of the compiler process. On platforms where the compiler process has system privileges, this memory management vulnerability can be exploited to perform further exploits on the device.

Impact

An attacker can cause a crash of the GPU compiler process, and on platforms with a privileged compiler process — potentially gain the ability to execute further exploits with system privileges, which threatens the confidentiality, integrity, and availability of the device.

Mitigation & patch

Apply patches available from the manufacturer according to the references: https://www.imaginationtech.com/gpu-driver-vulnerabilities/

Who is affected

Imagination DDK library (GPU shader compiler library) — versions indicated in the manufacturer's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Imaginationtech Ddk

    APP
    Imaginationtech
    < 25.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2026-21732CRITICAL9.6PL ✓ten sam produkt

Out-of-bounds write w kompilatorze GPU shader Imagination Technologies DDK

CVE-2025-25176CRITICAL9.1PL ✓ten sam produkt

Wyciek rejestrów bezpiecznych obciążeń przez środowisko niezabezpieczone — Imagination DDK

CVE-2026-45195HIGH7.8ten sam produkt

Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigg...

CVE-2026-21734HIGH7.7ten sam produkt

A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a wri...

CVE-2026-22165HIGH8.1ten sam produkt

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a writ...