HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-41157Published Modified CNA imaginationtech

CVE-2026-41157: GPU DDK - OOB Write in CalculateNPOTTwiddleSparsePageMap3D

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound write in the GPU user-space driver, leading to memory corruption and possible browser/GPU process crash. The software computes a required memory size from untrusted input, but integer overflow can produce a value smaller than needed. Subsequent write operations may then occur past the intended memory boundary, corrupting adjacent memory and causing process instability or termination.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
26.2 RTM
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in the Imagination Technologies Graphics DDK (GPU user-space driver), affecting versions up to and including 25.3 RTM. A remote attacker with no authentication can trigger the flaw by delivering a crafted WebGPU page that the victim's browser loads, causing an integer overflow in CalculateNPOTTwiddleSparsePageMap3D that writes past an allocated memory buffer. Successful exploitation corrupts process memory and can crash the browser or GPU process, and depending on memory layout may allow arbitrary code execution. A patched-image rebuild at version 26.2 RTM is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41157 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that bundle the Imagination Technologies Graphics DDK at an affected version. No manual scan trigger is required; matching happens automatically on the next ingest cycle after publication.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 Critical (v3.1) and weights it further against each environment's configured compliance policy, escalating alerts for images where the driver is present in a production or internet-facing workload. Triage findings are routed to the team inbox or ticketing integration configured for the affected customer org.

Available
Patch

A patched-image rebuild at Graphics DDK 26.2 RTM is available on HarborGuard for any image found to include an affected DDK version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the configured regression test suite, and opens a pull request against the affected workload automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target over the network by serving a crafted WebGPU page to a user whose browser loads the affected GPU driver.

  • AuthenticationNot required

    No account or credentials are required; any unauthenticated party who can deliver a web page to the target can attempt exploitation.

  • Victim interactionRequired

    The victim must load the malicious WebGPU page in their browser, making this a social-engineering or drive-by delivery scenario.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond delivering the crafted page.

Blast Radius

  • Corrupts memory in the GPU user-space driver process, which can crash the browser or GPU process and deny the user access to GPU-accelerated content.
  • Depending on memory layout at the time of exploitation, adjacent memory regions may be overwritten with attacker-influenced data, enabling arbitrary code execution within the render or GPU process.
  • Confidential data held in the affected process (rendered page content, GPU buffer contents) may be read or tampered with as a result of the memory corruption.
  • Process instability can spread to the host GPU driver context, potentially destabilizing other applications sharing the GPU on the same host.

How HarborGuard Handles This

Available on HarborGuard: detection of this critical out-of-bounds write is automatic, matching images that bundle any affected Graphics DDK version (1.18 RTM, 23.2 RTM, 24.2 RTM, or 25.3 RTM and earlier) against CVE-2026-41157 within minutes of the advisory entering upstream feeds. For customers who opt into auto-remediation, HarborGuard generates a rebuilt image pinned to the fixed 26.2 RTM release, runs the regression test suite, and opens a pull request against affected workloads; for environments with auto-remediation enabled, median time from CVE publication to a merged patch PR for critical-severity issues is around 90 minutes. Where compliance policy does not permit automatic remediation, the finding is surfaced in the HarborGuard dashboard with full CVSS detail and routed to the configured team inbox so engineers can review and act manually. Until the patched image is deployed, compensating controls include restricting access to services that expose WebGPU rendering surfaces (via network policy), isolating GPU workloads behind an additional process sandbox, and disabling WebGPU feature flags at the application or browser configuration layer where operationally feasible.

See how HarborGuard automates this

Fix available

26.2 RTM
Affected packages
  • Imagination Technologies / Graphics DDK
    1.18 RTM · 23.2 RTM · 24.2 RTM · ≤ 25.3 RTM · 26.1 RTM
    Fixed in 26.2 RTM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References