CVE-2024-52938

CVE-2024-52938 is a vulnerability in GPU firmware from Imagination Technologies, affecting kernel software running inside a Guest virtual machine (VM). The issue arises when the Guest VM kernel posts improper commands to the GPU firmware, subverting reconstruction activities and enabling a write operation outside the boundaries of the Guest's virtualized GPU memory. This flaw, classified under CWE-823 (Access of Uninitialized Pointer), carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high-impact potential from a local, low-privilege attack vector.

An attacker with local access and low privileges (PR:L) inside the Guest VM can exploit this vulnerability without user interaction. By crafting and posting malicious commands from the Guest kernel to the GPU firmware, they can trigger out-of-bounds writes beyond the virtualized GPU memory region. This achieves high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially allowing data corruption, leakage, or denial of service within the virtualized environment or beyond, depending on the GPU firmware's integration.

Imagination Technologies has published details on the vulnerability in their GPU driver vulnerabilities advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/, which security practitioners should consult for patch availability and mitigation guidance.