Cyber Resilience

CVE-2026-40393

High

Published: 12 April 2026

Published
12 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 26.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40393 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Mesa3D Mesa. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-40393 is an out-of-bounds memory access vulnerability (CWE-787) in the WebGPU implementation of Mesa, affecting versions before 25.3.6 and 26 before 26.0.1. The flaw occurs because the amount of data to be allocated depends on input from an untrusted party, which is then used directly in an alloca operation, potentially leading to memory corruption. Published on 2026-04-12, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by unauthenticated attackers over the network, requiring no user interaction but high attack complexity. Successful exploitation enables high-impact consequences, including unauthorized disclosure of sensitive information, modification of data or system integrity, and denial of service through system crashes or corruption.

Mitigation details are available in the referenced advisories: a Mesa merge request at https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866 and a mesa-dev mailing list announcement at https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html. Updating to Mesa 25.3.6, 26.0.1, or later versions addresses the issue.

EU & UK References

Vulnerability details

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Remote memory corruption (out-of-bounds access via untrusted alloca size) in client-side graphics library (Mesa WebGPU) directly enables arbitrary code execution on affected client applications.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25705Shared CWE-787
CVE-2019-25633Shared CWE-787
CVE-2026-0538Shared CWE-787
CVE-2016-20046Shared CWE-787
CVE-2019-25628Shared CWE-787
CVE-2019-25695Shared CWE-787
CVE-2018-25218Shared CWE-787
CVE-2026-42484Shared CWE-787
CVE-2019-25612Shared CWE-787
CVE-2025-43300Shared CWE-787

Affected Assets

mesa3d
mesa
26.0.0 · ≤ 25.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, reporting, and correcting the specific out-of-bounds memory access flaw through timely patching to Mesa 25.3.6 or later.

prevent

Implements memory protection mechanisms that enforce boundaries to prevent out-of-bounds access and memory corruption from untrusted allocation sizes in WebGPU.

prevent

Requires validation of untrusted inputs, such as allocation sizes from external parties, to prevent their direct use in alloca operations leading to OOB access.

References