PatchSiren

Imagination Technologies CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

Review Imagination Technologies CVE published 2026-07-10

CVE-2026-7639

CVE-2026-7639 is a use after free vulnerability in GPU system calls. Software installed and run as a non-privileged user may conduct a sequence of improper GPU system calls causing use after free, which helps in facilitating unprivileged memory access from a shader code. Triggering failure path in the MMU mapping logic by a malicious code could lead to incomplete cleanup of an internal driver state, allow [truncated]

Review Imagination Technologies CVE published 2026-07-10

CVE-2026-45203

A TOCTOU bug existed where a malicious driver could modify values in memory after firmware validation but before use. Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel. This vulnerability affects users of Imaginationtech GPU drivers, who should verify their systems for po [truncated]

Review Imagination Technologies CVE published 2026-07-10

CVE-2026-45196

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:54.657Z and has not been modified since then. The vulnerability affects kernel software installed and running inside a Host VM, which may post improper commands to the GPU Firmware, triggering a GPU register access that can lead to privilege escalation.

Review Imagination Technologies CVE published 2026-07-10

CVE-2026-41154

Software installed and run as a non-privileged user may cause OOB kernel memory reads or writes through GPU API calls. When indexing pages larger than 4kB in the page freeing logic of the sparse memory implementation, incorrect buffer indexing leads to OOB access. This vulnerability affects users of GPU drivers from Imagination Technologies, potentially allowing unauthorized access to sensitive kernel memory.

Review Imagination Technologies CVE published 2026-07-10

CVE-2026-34196

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an integer overflow and map two GPU virtual addresses to the same physical address. One of these virtual mappings can be freed along with the physical page, allowing for a read/write UAF via the second mapping. The vulnerability can be triggered by a non-privileged user, potentially leading to a denial of se [truncated]

HIGH Imagination Technologies CVE published 2026-06-12

CVE-2026-41158

CVE-2026-41158 is a vulnerability that affects GPU system calls. Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages. This occurs when physical memory is allocated and freed without the deferred free mechanism, allowing the GPU to use those resources for read/write after the kernel module has freed the resource. The vulnerability is r [truncated]

CRITICAL Imagination Technologies CVE published 2026-06-12

CVE-2026-41157

CVE-2026-41157 is an out-of-bound write vulnerability in the GPU user-space driver. A web page with unusual WebGPU content can trigger memory corruption and a possible browser/GPU process crash. The vulnerability occurs when the software computes a required memory size from untrusted input, but an integer overflow produces a value smaller than needed. Subsequent write operations may then occur past the in [truncated]

MEDIUM Imagination Technologies CVE published 2026-06-12

CVE-2026-41155

CVE-2026-41155 is a vulnerability in an unknown vendor's GPU kernel module that allows an attacker to cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations. Additionally, an attacker could disrupt the operation of another secure GPU process, leading to image corruption or GPU hardware recovery. This vulnerability affects shared resources [truncated]

HIGH Imagination Technologies CVE published 2026-06-12

CVE-2026-34195

CVE-2026-34195 is a vulnerability in an unknown vendor's product that allows a non-privileged user to cause an out of bounds write in the kernel. The product incorrectly indexes internal state when performing sparse allocation remapping. This vulnerability was published on 2026-06-12T22:16:50.270Z and has not been modified since then.

HIGH Imagination Technologies CVE published 2026-06-08

CVE-2026-34194

CVE-2026-34194 is a HIGH severity vulnerability with a CVSS score of 7.1. The vulnerability occurs when software installed and run as a non-privileged user conducts improper GPU system calls, causing mismanagement of a mapping state maintained for a sparse memory allocation. This happens because the product accidentally refers to the wrong memory due to the semantics of how math operations are implicitly [truncated]

HIGH Imagination Technologies CVE published 2026-06-08

CVE-2026-22164

CVE-2026-22164 is a HIGH severity vulnerability with a CVSS score of 7.5. The vulnerability allows software installed and run as a non-privileged user to conduct improper GPU system calls, potentially corrupting kernel heap memory. An exploit can be used to corrupt kernel memory by creating resources of certain types and presenting a set of parameters to the affected interface.

MEDIUM Imagination Technologies CVE published 2026-06-01

CVE-2026-34193

A logic error in GPU address translation allows a compromised Host kernel to perform arbitrary writes to firmware memory. The vulnerability exists in kernel software running inside Guest/Host VMs that can post improper commands to GPU Firmware, triggering writes outside intended GPU memory boundaries. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates an adjacent network attack vector wit [truncated]

HIGH Imagination Technologies CVE published 2026-04-17

CVE-2026-21733

CVE-2026-21733 is a High-severity vulnerability associated with Imagination Technologies Graphics DDK on Linux and Android. Public details are still limited: the CVE entry is marked RESERVED in the supplied description, and NVD currently lists the record as Awaiting Analysis. The available NVD data indicates a local, low-privilege attack surface with no user interaction required, and potential high confid [truncated]