How is CVE-2026-34195 exploited?

Network reachability (required): The affected service must be reachable over the network; the CVSS vector specifies AV:N, meaning an attacker initiates the exploit remotely. Authentication (required): The attacker must hold a valid low-privilege account; the CVSS vector specifies PR:L, so any standard user credential is sufficient. Victim interaction (not-required): No user action or social engineering is needed; the CVSS vector specifies UI:N, so the attacker triggers the vulnerability entirely on their own. Attack complexity (info): Exploitation is reliable and condition-free; the CVSS vector specifies AC:L, meaning no race conditions or specific memory layouts are required.

What is the impact of CVE-2026-34195?

Reads arbitrary kernel memory, exposing sensitive data such as credentials, cryptographic keys, and other processes' memory contents. Writes arbitrary data into kernel heap memory, allowing the attacker to overwrite kernel structures and escalate privileges or inject malicious code. Crashes the affected kernel driver or the host system, causing a denial of service for all workloads sharing that node. Combines confidentiality and integrity compromise to enable persistent kernel-level access to the affected host.

Back to search

HIGHCVE-2026-34195Published 2026-06-12Modified 2026-06-15CNA imaginationtech

CVE-2026-34195: GPU DDK - Kernel heap OOB write in PMRChangeSparseMemOSMem due to incorrect physical page translation from virtual page indexes

Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in the kernel. The product incorrectly indexes internal state when performing sparse allocation remapping.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 1.18 RTM
Affected Products: 1

HarborGuard Analysis

Synopsis

A kernel heap out-of-bounds write vulnerability exists in the Imagination Technologies Graphics DDK, specifically in the PMRChangeSparseMemOSMem function. It is reachable over the network by any low-privileged user and requires no victim interaction. Successful exploitation gives an attacker full read and write access to kernel memory and can crash the affected service. A patched-image rebuild at fix versions 1.18 RTM, 23.2 RTM, 26.1 RTM, and 26.2 RTM is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-34195 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. This matching covers custom-built images that bundle the affected Graphics DDK alongside standard base images.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 8.8 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically upon match.

Available

Patch

A patched-image rebuild pinned to one of the fix versions (1.18 RTM, 23.2 RTM, 26.1 RTM, or 26.2 RTM) becomes available on HarborGuard for any image found to contain an affected Graphics DDK version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests against the new image, and open a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The affected service must be reachable over the network; the CVSS vector specifies AV:N, meaning an attacker initiates the exploit remotely.
AuthenticationRequired
The attacker must hold a valid low-privilege account; the CVSS vector specifies PR:L, so any standard user credential is sufficient.
Victim interactionNot required
No user action or social engineering is needed; the CVSS vector specifies UI:N, so the attacker triggers the vulnerability entirely on their own.
Attack complexityDetail
Exploitation is reliable and condition-free; the CVSS vector specifies AC:L, meaning no race conditions or specific memory layouts are required.

Blast Radius

Reads arbitrary kernel memory, exposing sensitive data such as credentials, cryptographic keys, and other processes' memory contents.
Writes arbitrary data into kernel heap memory, allowing the attacker to overwrite kernel structures and escalate privileges or inject malicious code.
Crashes the affected kernel driver or the host system, causing a denial of service for all workloads sharing that node.
Combines confidentiality and integrity compromise to enable persistent kernel-level access to the affected host.

How HarborGuard Handles This

Available on HarborGuard: for any image that includes an affected version of the Imagination Technologies Graphics DDK (24.2 RTM or at or below 25.3 RTM), a rebuild against the patched versions (1.18 RTM, 23.2 RTM, 26.1 RTM, or 26.2 RTM) is available. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, execute a regression test run against the resulting image, and open a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the rebuilt image is staged and a finding is routed to the designated team inbox for manual review and promotion.

See how HarborGuard automates this

Fix available

1.18 RTM23.2 RTM26.1 RTM26.2 RTM

Affected packages

Imagination Technologies / Graphics DDK
24.2 RTM · ≤ 25.3 RTM
Fixed in 1.18 RTM, 23.2 RTM, 26.1 RTM, 26.2 RTM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

imaginationtech.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available