{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-41158: GPU DDK - Backed sparse PMRs are not handled by deferred free mechanism after shrink","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-41158","status":"final","version":"1","initial_release_date":"2026-06-12T21:57:29.607Z","current_release_date":"2026-06-15T19:26:18.813Z","revision_history":[{"date":"2026-06-12T21:57:29.607Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages.\n\n\n\nPhysical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-41158 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-41158"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-41158"},{"category":"external","summary":"imaginationtech.com","url":"https://www.imaginationtech.com/gpu-driver-vulnerabilities/"}]},"product_tree":{"branches":[{"category":"vendor","name":"Imagination Technologies","branches":[{"category":"product_name","name":"Graphics DDK","branches":[{"category":"product_version_range","name":">=25.1 RTM <=25.3 RTM","product":{"name":"Imagination Technologies Graphics DDK >=25.1 RTM <=25.3 RTM","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:imagination_technologies:graphics_ddk:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"26.1 RTM","product":{"name":"Imagination Technologies Graphics DDK 26.1 RTM","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:imagination_technologies:graphics_ddk:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"1.18 RTM","product":{"name":"Imagination Technologies Graphics DDK 1.18 RTM","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:imagination_technologies:graphics_ddk:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"23.2 RTM","product":{"name":"Imagination Technologies Graphics DDK 23.2 RTM","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:imagination_technologies:graphics_ddk:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"24.2 RTM","product":{"name":"Imagination Technologies Graphics DDK 24.2 RTM","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:imagination_technologies:graphics_ddk:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"26.2 RTM","product":{"name":"Imagination Technologies Graphics DDK 26.2 RTM","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:imagination_technologies:graphics_ddk:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-41158","title":"GPU DDK - Backed sparse PMRs are not handled by deferred free mechanism after shrink","notes":[{"category":"description","text":"Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages.\n\n\n\nPhysical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2"],"fixed":["CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 1.18 RTM, 23.2 RTM, 24.2 RTM, 26.2 RTM.","product_ids":["CSAFPID-1","CSAFPID-2"]}]}]}