CVE-2026-40393 - Vulnerability Details - OpenCVE

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mesa3d	Mesa

No data.

No data.

References

Link	Providers
https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866
https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html

History

Mon, 13 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title		Mesa WebGPU Out-of-bounds Memory Access Vulnerability

Sun, 12 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.
First Time appeared		Mesa3d Mesa3d mesa
Weaknesses		CWE-787
CPEs		cpe:2.3:a:mesa3d:mesa::::::::
Vendors & Products		Mesa3d Mesa3d mesa
References		https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866 https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-12T18:49:18.984Z

Updated: 2026-04-13T15:47:05.804Z

Reserved: 2026-04-12T18:49:18.544Z

Link: CVE-2026-40393

Vulnrichment

Updated: 2026-04-13T15:47:00.608Z

NVD

Status : Awaiting Analysis

Published: 2026-04-12T19:16:20.797

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-40393

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40393", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-12T18:49:18.544Z", "datePublished": "2026-04-12T18:49:18.984Z", "dateUpdated": "2026-04-13T15:47:05.804Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mesa", "vendor": "mesa3d", "versions": [{"lessThan": "25.3.6", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "26.0.1", "status": "affected", "version": "26.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-12T18:56:36.231Z"}, "references": [{"url": "https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html"}, {"url": "https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mesa3d:mesa:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.3.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mesa3d:mesa:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0.0", "versionEndExcluding": "26.0.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:46:57.488673Z", "id": "CVE-2026-40393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:47:05.804Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T15:46:57.488673Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:47:00.608Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "mesa3d", "product": "Mesa", "versions": [{"status": "affected", "version": "0", "lessThan": "25.3.6", "versionType": "semver"}, {"status": "affected", "version": "26.0.0", "lessThan": "26.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html"}, {"url": "https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mesa3d:mesa:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "25.3.6"}, {"criteria": "cpe:2.3:a:mesa3d:mesa:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "26.0.1", "versionStartIncluding": "26.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-12T18:56:36.231Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40393", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:47:05.804Z", "dateReserved": "2026-04-12T18:49:18.544Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-12T18:49:18.984Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}