CVE-2026-21734 | A web page that contains unusual GPU shader code is loaded i… | CVSS 7.7 HIGH

Description

A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. An edge case using a very small value in GPU shader code can cause a segmentation fault in the GPU shader compiler due to am out-of-bounds write.

Metadata

CVE ID: CVE-2026-21734
State: PUBLISHED
Assigner: imaginationtech
Reserved: 2026-01-05 11:57 UTC
Published: 2026-06-26 15:14 UTC
Last updated: 2026-06-26 19:13 UTC
Primary CWE: CWE-823
CWE-823: Use of Out-of-range Pointer Offset (4.16)
Vendor / Product: Imagination Technologies / Graphics DDK
Sources: cve.org · NVD

Severity & Metrics

7.7 HIGH CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Imagination Technologies	Graphics DDK	Linux,Android	1.18 RTM, 23.2 RTM, 24.1 RTM ≤ 24.2 RTM, 25.1 RTM ≤ 25.3 RTM …

Weakness (CWE)

CWE	Source	Description
CWE-823	cna	CWE-823: Use of Out-of-range Pointer Offset (4.16)

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.7	HIGH	3.1	adp	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (1)

https://www.imaginationtech.com/gpu-driver-vulnerabilities/