CVE-2026-21732

Critical

Published: 20 March 2026

Published

20 March 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0006 19.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21732 is a critical-severity Use of Out-of-range Pointer Offset (CWE-823) vulnerability in Imaginationtech Ddk. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds write flaw in the GPU shader compiler by identifying, patching, and verifying fixes from the vendor advisory.

SI-16 Memory Protection good match

prevent

Implements memory protections such as ASLR and DEP to prevent exploitation of the out-of-bounds write vulnerability in the shader compiler.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the GPU compiler process to prevent privilege escalation from crashes or exploits on platforms where it runs with system privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in GPU shader compiler enables client-side RCE via malicious web shader code (T1203); attack delivered through drive-by web page load (T1189).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges…

this could enable further exploits on the device. An edge case using a very large value in switch statements in GPU shader code can cause a segmentation fault in the GPU shader compiler due to an out-of-bounds write access.

Deeper analysisAI

CVE-2026-21732 is an out-of-bounds write vulnerability in the GPU shader compiler library, triggered when a web page loads unusual GPU shader code into the GPU compiler process. It affects Imagination Technologies GPU drivers, where an edge case involving a very large value in switch statements within GPU shader code causes a segmentation fault due to the out-of-bounds write access. The vulnerability is associated with CWE-823 (Access of Uninitialized Pointer) and CWE-787 (Out-of-bounds Write) and carries a CVSS v3.1 base score of 9.6.

A remote attacker with no privileges can exploit this vulnerability over the network with low complexity by tricking a user into loading a malicious web page that contains the anomalous shader code, requiring user interaction. The initial impact is a crash in the GPU compiler process, but on certain platforms where the compiler process runs with system privileges, this could enable further exploits on the device, achieving high confidentiality, integrity, and availability impacts with a changed scope.

Imagination Technologies has published details on mitigations in their GPU driver vulnerabilities advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/.