HIGHCVE-2026-40393Published 2026-04-12Modified 2026-04-13CNA mitre

CVE-2026-40393: In Mesa before 25

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 25.3.6
Affected Products: 1

Fix available

25.3.626.0.1

Affected packages

mesa3d / Mesa
< 25.3.6 (from 0) · < 26.0.1 (from 26.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

lists.freedesktop.org
gitlab.freedesktop.org

Metrics

Fix available