TOCTOU Race Condition in GPU Firmware on Guest VM by Imagination Technologies
CVE-2025-58407

7.4HIGH

Key Information:

Vendor: Imagination Technologies
Status: Graphics Ddk
Vendor: CVE Published:; 17 November 2025

🔔 Create Imagination Technologies Vulnerability Alert

What is CVE-2025-58407?

A security issue exists in the GPU firmware provided by Imagination Technologies, where a TOCTOU (Time of Check to Time of Use) race condition can occur. This vulnerability may allow a crafted guest virtual machine (VM) to send improper commands to the GPU firmware. As a result, it can lead to unauthorized read and/or write operations that access data beyond the designated memory bounds of the virtual machine, potentially compromising the integrity and confidentiality of the memory space.

Affected Version(s)

Graphics DDK Linux 25.2 RTM1

Graphics DDK Linux 25.1 RTM2

References

https://www.imaginationtech.com/gpu-driver-vulnerabilities/

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 17, 2025
Vulnerability Reserved
Sep 1, 2025

JSON