CVE-2024-52939
Published: 22 February 2025
Description
Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to trigger a write data outside the Guest's virtualised GPU memory.
Security Summary
CVE-2024-52939 is a vulnerability in which kernel software installed and running inside a Guest VM posts improper commands to the GPU Firmware, triggering a write outside the Guest's virtualized GPU memory. It affects kernel software interacting with virtualized GPU components, as indicated by advisories from Imagination Technologies. The issue carries a CVSS v3.1 base score of 7.8 (High) and is associated with CWE-823 (Access of Uninitialized Pointer). The CVE was published on 2025-02-22T15:15:10.633.
A local attacker with low privileges (PR:L) inside the Guest VM can exploit this vulnerability with low attack complexity (AC:L) and local access (AV:L), requiring no user interaction (UI:N). Exploitation allows high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within an unchanged scope (S:U), potentially due to the out-of-bounds write affecting memory beyond the Guest's virtualized GPU allocation.
Mitigation details are provided in the vendor advisory at https://www.imaginationtech.com/gpu-driver-vulnerabilities/.
Details
- CWE(s)