Cyber Posture

CVE-2026-40393

High

Published: 12 April 2026

Published
12 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40393 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Mesa3D Mesa. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by identifying, reporting, and correcting the specific out-of-bounds memory access flaw through timely patching to Mesa 25.3.6 or later.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms that enforce boundaries to prevent out-of-bounds access and memory corruption from untrusted allocation sizes in WebGPU.

SI-10 Information Input Validation good match
prevent

Requires validation of untrusted inputs, such as allocation sizes from external parties, to prevent their direct use in alloca operations leading to OOB access.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Remote memory corruption (out-of-bounds access via untrusted alloca size) in client-side graphics library (Mesa WebGPU) directly enables arbitrary code execution on affected client applications.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

Deeper analysisAI

CVE-2026-40393 is an out-of-bounds memory access vulnerability (CWE-787) in the WebGPU implementation of Mesa, affecting versions before 25.3.6 and 26 before 26.0.1. The flaw occurs because the amount of data to be allocated depends on input from an untrusted party, which is then used directly in an alloca operation, potentially leading to memory corruption. Published on 2026-04-12, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by unauthenticated attackers over the network, requiring no user interaction but high attack complexity. Successful exploitation enables high-impact consequences, including unauthorized disclosure of sensitive information, modification of data or system integrity, and denial of service through system crashes or corruption.

Mitigation details are available in the referenced advisories: a Mesa merge request at https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866 and a mesa-dev mailing list announcement at https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html. Updating to Mesa 25.3.6, 26.0.1, or later versions addresses the issue.

Details

CWE(s)
CWE-787

Affected Products

mesa3d
mesa
26.0.0 · ≤ 25.3.6

CVEs Like This One

CVE-2025-21042Shared CWE-787
CVE-2025-36897Shared CWE-787
CVE-2025-43300Shared CWE-787
CVE-2026-26955Shared CWE-787
CVE-2025-9809Shared CWE-787
CVE-2026-22852Shared CWE-787
CVE-2019-25628Shared CWE-787
CVE-2026-42484Shared CWE-787
CVE-2025-1017Shared CWE-787
CVE-2025-1020Shared CWE-787

References