CVE-2026-45203 (GCVE-0-2026-45203)
Vulnerability from cvelistv5 – Published: 2026-07-10 20:57 – Updated: 2026-07-10 20:57
VLAI
EPSS
VEX
Title
GPU DDK - rgxfw_hwperf_ufo() re-reads psCmdHeader->ui32CmdSize after initial check, TOCTOU
Summary
Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel.
A TOCTOU bug existed where a malicious driver could modify values in memory after firmware validation but before use.
Severity
No CVSS data available.
CWE
- CWE-367 - CWE - CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition (4.20)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Imagination Technologies | Graphics DDK |
Affected:
1.18 RTM2
(custom)
Affected: 23.2 RTM2 (custom) Affected: 24.2 RTM2 (custom) Affected: 25.1 RTM2 , ≤ 25.3 RTM (custom) Affected: 26.1 RTM1 (custom) Unaffected: 26.1 RTM2 (custom) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"Linux",
"Android"
],
"product": "Graphics DDK",
"vendor": "Imagination Technologies",
"versions": [
{
"status": "affected",
"version": "1.18 RTM2",
"versionType": "custom"
},
{
"status": "affected",
"version": "23.2 RTM2",
"versionType": "custom"
},
{
"status": "affected",
"version": "24.2 RTM2",
"versionType": "custom"
},
{
"lessThanOrEqual": "25.3 RTM",
"status": "affected",
"version": "25.1 RTM2",
"versionType": "custom"
},
{
"status": "affected",
"version": "26.1 RTM1",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "26.1 RTM2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eKernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel.\n\u003cbr\u003e\n\u003cbr\u003eA TOCTOU bug existed where a malicious driver could modify values in memory after firmware validation but before use.\u003c/p\u003e"
}
],
"value": "Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel.\n\n\n\nA TOCTOU bug existed where a malicious driver could modify values in memory after firmware validation but before use."
}
],
"impacts": [
{
"capecId": "CAPEC-480",
"descriptions": [
{
"lang": "en",
"value": "CAPEC - CAPEC-480: Escaping Virtualization (Version 3.9)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE - CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition (4.20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:57:19.733Z",
"orgId": "367425dc-4d06-4041-9650-c2dc6aaa27ce",
"shortName": "imaginationtech"
},
"references": [
{
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "GPU DDK - rgxfw_hwperf_ufo() re-reads psCmdHeader-\u003eui32CmdSize after initial check, TOCTOU",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "367425dc-4d06-4041-9650-c2dc6aaa27ce",
"assignerShortName": "imaginationtech",
"cveId": "CVE-2026-45203",
"datePublished": "2026-07-10T20:57:19.733Z",
"dateReserved": "2026-05-11T10:58:04.163Z",
"dateUpdated": "2026-07-10T20:57:19.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-45203\",\"sourceIdentifier\":\"367425dc-4d06-4041-9650-c2dc6aaa27ce\",\"published\":\"2026-07-10T21:16:54.760\",\"lastModified\":\"2026-07-10T21:16:54.760\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel.\\n\\n\\n\\nA TOCTOU bug existed where a malicious driver could modify values in memory after firmware validation but before use.\"}],\"affected\":[{\"source\":\"367425dc-4d06-4041-9650-c2dc6aaa27ce\",\"affectedData\":[{\"vendor\":\"Imagination Technologies\",\"product\":\"Graphics DDK\",\"defaultStatus\":\"unknown\",\"platforms\":[\"Linux\",\"Android\"],\"versions\":[{\"version\":\"1.18 RTM2\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"23.2 RTM2\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"24.2 RTM2\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"25.1 RTM2\",\"lessThanOrEqual\":\"25.3 RTM\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"26.1 RTM1\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"26.1 RTM2\",\"versionType\":\"custom\",\"status\":\"unaffected\"}]}]}],\"metrics\":{},\"weaknesses\":[{\"source\":\"367425dc-4d06-4041-9650-c2dc6aaa27ce\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-367\"}]}],\"references\":[{\"url\":\"https://www.imaginationtech.com/gpu-driver-vulnerabilities/\",\"source\":\"367425dc-4d06-4041-9650-c2dc6aaa27ce\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…