CVE-2026-21732

CRITICAL

GPU DDK - libusc OOB write at ConvertSwitchToArrayLookupBP during WebGPU shader compilation

Title source: cna

Description

A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. An edge case using a very large value in switch statements in GPU shader code can cause a segmentation fault in the GPU shader compiler due to an out-of-bounds write access.

References (1)

https://www.imaginationtech.com/gpu-driver-vulnerabilities/

Scores

CVSS v3 9.6

EPSS 0.0006

EPSS Percentile 18.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-787 CWE-823

Status published

Products (9)

Imagination Technologies/Graphics DDK 1.17 RTM

Imagination Technologies/Graphics DDK 1.18 RTM

Imagination Technologies/Graphics DDK 23.2 RTM

Imagination Technologies/Graphics DDK 24.1 RTM - 25.1 RTM

Imagination Technologies/Graphics DDK 25.2 RTM

imaginationtech/ddk 1.17

imaginationtech/ddk 1.18

imaginationtech/ddk 23.2

imaginationtech/ddk 24.1 - 25.1

Published Mar 20, 2026

Tracked Since Mar 21, 2026