CVE-2024-47894

High

Published: 13 January 2025

Published

13 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0003 10.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory.

Security Summary

CVE-2024-47894 is a vulnerability (CWE-823) in kernel software installed and running inside a Guest VM, where it may post improper commands to the GPU Firmware. This enables reading data outside the Guest's virtualized GPU memory. The issue affects Imagination Technologies GPU drivers, as detailed in their vulnerability advisory, and received a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges inside the Guest VM can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows high-impact confidentiality violations by accessing data beyond the Guest's virtualized GPU memory boundaries, alongside high availability impact that could disrupt GPU operations.

The Imagination Technologies advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/ provides details on affected versions and mitigation steps, including patches for the GPU driver vulnerabilities.

Details

CWE(s): CWE-823

References

https://www.imaginationtech.com/gpu-driver-vulnerabilities/
367425dc-4d06-4041-9650-c2dc6aaa27ce