HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-34194Published Modified CNA imaginationtech

CVE-2026-34194: GPU DDK - UAF read and/or write to arbitrary physical pages in DevmemIntChangeSparse due to incorrect calculation of the virtual index count

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of a mapping state maintained for a sparse memory allocation. The product accidentally refers to the wrong memory due to the semantics of how math operations are implicitly scaled across buffers of different sizes.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
1.18 RTM
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free (UAF) vulnerability in the Imagination Technologies Graphics DDK allows a local, low-privileged user to trigger reads and writes to arbitrary physical memory pages by issuing crafted GPU system calls against a sparse memory mapping. The flaw lives in the DevmemIntChangeSparse function, where an incorrect virtual index count calculation causes the driver to reference the wrong physical memory due to implicit scaling mismatches between buffers of different sizes (AV:L, PR:L, UI:N). Successful exploitation lets an attacker corrupt or disclose arbitrary physical memory, which on typical systems means bypassing memory isolation between processes or crashing the kernel. A patched-image rebuild at fix versions 1.18 RTM and 23.2 RTM is available on HarborGuard for environments running an affected Graphics DDK version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-34194 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Imagination Technologies Graphics DDK. Coverage extends to both registry scans and CI/CD pipeline checks, so affected images are flagged before they reach production.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 HIGH and weights it against each customer organization's per-environment compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each org based on image ownership and policy configuration, so the right engineers see the alert without manual triage.

Available
Patch

A patched-image rebuild at fix versions 1.18 RTM or 23.2 RTM becomes available on HarborGuard for any environment where the affected Graphics DDK version is detected. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no elevated or administrative credentials are needed to issue the malicious GPU system calls.

  • Victim interactionNot required

    No user interaction is needed; the attacker triggers the vulnerability entirely through their own process without involving another user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors outside the attacker's control.

Blast Radius

  • Attacker writes to arbitrary physical memory pages, allowing corruption of kernel data structures or memory belonging to other processes.
  • Attacker can crash the affected system by overwriting critical kernel state, causing a denial of service.
  • Integrity of persisted data is at risk if writeable physical pages back storage buffers or file-system caches used by other workloads.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34194 is active against all scanned images the moment the CVE enters upstream feeds, with no manual configuration required. For environments confirmed to be running an affected Graphics DDK version (24.2 RTM, up to and including 25.3 RTM, or 26.1 RTM), a rebuilt image pinned to fix version 1.18 RTM or 23.2 RTM is made available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For teams that manage patching manually, the finding card links directly to the fix version release notes from Imagination Technologies so engineers have everything needed to act without additional research.

See how HarborGuard automates this

Fix available

1.18 RTM23.2 RTM
Affected packages
  • Imagination Technologies / Graphics DDK
    24.2 RTM · ≤ 25.3 RTM · 26.1 RTM
    Fixed in 1.18 RTM, 23.2 RTM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
References