CVE-2026-22166
Published: 01 May 2026
Summary
CVE-2026-22166 is a high-severity Use After Free (CWE-416) vulnerability in Imaginationtech Ddk. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22166 is a use-after-free (UAF) vulnerability (CWE-416) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H). It affects the GPU GLES user-space shared library in Imagination Technologies GPU drivers. The issue arises when a web page loads unusual WebGPU content into the GPU GLES render process, triggering a write UAF crash.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. Successful exploitation causes high integrity (I:H) and availability (A:H) impacts via the crash, and on certain platforms where the graphics workload process runs with system privileges, it could enable further system-level exploitation.
Imagination Technologies has published details on GPU driver vulnerabilities, including this CVE, at https://www.imaginationtech.com/gpu-driver-vulnerabilities/, which security practitioners should consult for mitigation guidance and patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26663
Vulnerability details
A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges…
more
this could enable subsequent exploit on the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in GPU GLES/WebGPU render path enables client-side exploitation (T1203) and potential privilege escalation to system level on privileged graphics processes (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free flaw in the Imagination Technologies GPU GLES user-space shared library by identifying, testing, and applying patches.
Implements memory protection mechanisms such as ASLR, DEP, and stack canaries to prevent exploitation of the write UAF crash in the GPU library.
Isolates the GPU GLES render process to restrict unauthorized access and limit privilege escalation potential when the process executes with system privileges on affected platforms.