CVE-2026-40393 — Out-of-bounds Write in Mesa

CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.0%

top 87.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mesa3d Mesa

Timeline

PublishedApr 12

Description

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

▶CVEListV5mesa3d/mesa26.0.0 — 26.0.1+1

🔴Vulnerability Details

GHSA

GHSA-w54f-pw7x-c532: In Mesa before 25↗2026-04-12

▶

CVEList

CVE-2026-40393: In Mesa before 25↗2026-04-12

▶

VulDB

mesa3d Mesa up to 25.3.5/26.0.0 WebGPU out-of-bounds write↗2026-04-12

▶