MidnightBSD

Advisories for imaginationtech

CVE-2023-4969

A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

Products Affected

Vendor Product Version
amd radeon_rx_7700xt_firmware -
amd ryzen_7_7736u_firmware -
amd ryzen_7_4800h_firmware -
amd radeon_rx_6800_firmware -
amd athlon_3000g_firmware -
amd instinct_mi250_firmware -
amd ryzen_9_6980hx_firmware -
amd ryzen_3_7320u_firmware -
amd instinct_mi300a_firmware -
amd ryzen_7_pro_7840hs_firmware -
amd ryzen_5_6600u_firmware -
amd ryzen_3_5300u_firmware -
amd ryzen_7_4800u_firmware -
amd ryzen_3_5300g_firmware -
amd instinct_mi210_firmware -
amd ryzen_9_7900x3d_firmware -
amd ryzen_5_4600h_firmware -
amd ryzen_5_7535hs_firmware -
amd ryzen_5_7520u_firmware -
amd radeon_rx_5300m_firmware -
amd instinct_mi100_firmware -
amd radeon_rx_5500m_firmware -
amd radeon_instinct_mi50_firmware -
amd radeon_rx_5300xt_firmware -
amd ryzen_5_pro_3400ge_firmware -
amd ryzen_7_5700g_firmware -
amd ryzen_7_6800h_firmware -
amd ryzen_9_7900x_firmware -
amd radeon_rx_7600xt_firmware -
amd ryzen_5_pro_7540u_firmware -
amd ryzen_5_7600_firmware -
amd ryzen_7_4980u_firmware -
amd radeon_rx_7600_firmware -
amd ryzen_7_pro_7840u_firmware -
amd radeon_instinct_mi25_firmware -
amd ryzen_7_6800hs_firmware -
amd ryzen_5_pro_3350g_firmware -
amd ryzen_5_7640h_firmware -
amd ryzen_5_5600g_firmware -
amd ryzen_5_4500u_firmware -
amd radeon_pro_v520_firmware -
amd radeon_rx_7800xt_firmware -
amd ryzen_9_pro_7945hs_firmware -
amd radeon_rx_5600_firmware -
amd ryzen_3_3200u_firmware -
amd ryzen_5_pro_7640hs_firmware -
amd ryzen_9_7945hx3d_firmware -
amd ryzen_7_4800hs_firmware -
amd ryzen_5_4600ge_firmware -
amd ryzen_5_pro_7640u_firmware -
amd radeon_rx_6800xt_firmware -
amd ryzen_5_5500u_firmware -
amd ryzen_9_6980hs_firmware -
amd ryzen_3_7335u_firmware -
amd ryzen_5_5500gt_firmware -
amd radeon_rx_6950xt_firmware -
amd radeon_pro_w6400_firmware -
amd ryzen_7_7700_firmware -
amd ryzen_7_7745hx_firmware -
amd ryzen_7_4700u_firmware -
amd ryzen_7_5700ge_firmware -
amd ryzen_5_6600h_firmware -
amd ryzen_9_pro_7945_firmware -
amd radeon_rx_5500xt_firmware -
amd ryzen_3_7440u_firmware -
amd ryzen_9_7900_firmware -
khronos vulkan *
amd radeon_pro_w7600_firmware -
amd ryzen_3_pro_3200ge_firmware -
amd ryzen_3_5300ge_firmware -
khronos opencl *
amd radeon_rx_6900xt_firmware -
amd ryzen_5_6600hs_firmware -
amd ryzen_7_5700u_firmware -
amd ryzen_5_4600g_firmware -
amd radeon_rx_5500_firmware -
amd ryzen_5_7600x_firmware -
amd instinct_mi300x_firmware -
amd radeon_pro_w7500_firmware -
amd radeon_rx_5600xt_firmware -
amd ryzen_9_6900hs_firmware -
amd ryzen_5_5600ge_firmware -
amd ryzen_7_7840h_firmware -
amd ryzen_9_6900hx_firmware -
imaginationtech ddk *
amd radeon_pro_w5500x_firmware -
amd ryzen_5_4600hs_firmware -
amd ryzen_7_7700x_firmware -
amd ryzen_5_pro_3350ge_firmware -
amd ryzen_5_pro_3400g_firmware -
amd ryzen_3_pro_3200g_firmware -
amd ryzen_3_3200ge_firmware -
amd radeon_rx_7900xtx_firmware -
amd ryzen_7_6800u_firmware -
amd ryzen_5_7645hx_firmware -
amd radeon_rx_5700m_firmware -
amd ryzen_5_4680u_firmware -
amd ryzen_7_pro_7745_firmware -
amd ryzen_7_4700ge_firmware -
amd ryzen_3_3250u_firmware -
amd ryzen_7_4700g_firmware -
amd ryzen_3_4300u_firmware -
amd ryzen_9_4900h_firmware -
amd ryzen_9_4900hs_firmware -
amd ryzen_3_4300ge_firmware -
amd ryzen_7_7800x3d_firmware -
amd ryzen_5_7535u_firmware -
amd ryzen_9_7950x3d_firmware -
amd ryzen_3_3250c_firmware -
amd ryzen_7_7735hs_firmware -
amd radeon_rx_5700_firmware -
amd ryzen_3_3200g_firmware -
amd radeon_pro_w6500m_firmware -
amd radeon_pro_w6300m_firmware -
amd ryzen_9_7940h_firmware -
amd radeon_rx_5700xt_firmware -
amd ryzen_7_7735u_firmware -
amd ryzen_5_pro_7645_firmware -
amd ryzen_9_7945hx_firmware -
amd ryzen_9_7845hx_firmware -
amd ryzen_9_7950x_firmware -
amd ryzen_5_pro_7545u_firmware -
amd radeon_pro_w5700x_firmware -
amd ryzen_5_3400g_firmware -
amd radeon_rx_5600m_firmware -
amd ryzen_5_5600gt_firmware -
amd radeon_rx_5300_firmware -
amd ryzen_5_4600u_firmware -
amd radeon_pro_v620_firmware -
amd radeon_rx_7900xt_firmware -
amd ryzen_5_7500f_firmware -
amd ryzen_3_4300g_firmware -
CVE-2025-0467

Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N 1.8 5.8

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-10865

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present.

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-13952

A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object.

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-25176

Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform.

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-25179

Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-46707

Software installed and running inside a Guest VM may override Firmware's state and gain access to the GPU.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 2.0 2.7

Products Affected

Vendor Product Version
imaginationtech ddk *
imaginationtech ddk 1.15
imaginationtech ddk 1.18
imaginationtech ddk 1.17
CVE-2025-46708

Software installed and running inside a Guest VM may conduct improper GPU system calls to prevent other Guests from running work on the GPU.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.3 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 0.9 3.4

Products Affected

Vendor Product Version
imaginationtech ddk *
imaginationtech ddk 1.15
imaginationtech ddk 1.18
imaginationtech ddk 1.17
CVE-2025-46709

Possible memory leak or kernel exceptions caused by reading kernel heap data after free or NULL pointer dereference kernel exception.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-46710

Possible kernel exceptions caused by reading and writing kernel heap data after free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.7 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 0.9 4.7

Products Affected

Vendor Product Version
imaginationtech ddk *
imaginationtech ddk 24.2
CVE-2025-46711

Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger NULL pointer dereference kernel exceptions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-58407

Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
imaginationtech ddk 25.2
CVE-2025-58408

Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger reads of stale data that can lead to kernel exceptions and write use-after-free. The Use After Free common weakness enumeration was chosen as the stale data can include handles to resources in which the reference counts can become unbalanced. This can lead to the premature destruction of a resource while in use.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.9 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.5 3.4

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-58409

Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory.

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2025-58410

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only. This is caused by improper handling of the memory protections for the buffer resource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
imaginationtech ddk 24.3
imaginationtech ddk 24.1
imaginationtech ddk 25.1
imaginationtech ddk 25.2
imaginationtech ddk 24.2
imaginationtech ddk 23.3
CVE-2025-58411

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present.

Products Affected

Vendor Product Version
imaginationtech ddk *
CVE-2026-21736

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory. This is caused by improper handling of the memory protections for the user-mode wrapped memory resource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 1.8 2.5

Products Affected

Vendor Product Version
imaginationtech ddk 25.1