JustAppSec
Back to news

Mesa patches WebGPU alloca-sized out-of-bounds access

2 min readPublished 12 Apr 2026Updated 12 Apr 2026Source: CVEProject (cvelistV5)
CVE-2026-40393NewsWeb SecurityLinux

TL;DR — Mesa’s WebGPU implementation can hit out-of-bounds memory access when attacker-influenced allocation sizing is used with alloca, creating a high-severity memory-safety risk.

What happened

Mesa is a widely used open-source userspace graphics stack (drivers/libraries) for Linux and other platforms, implementing APIs like OpenGL and Vulkan.

CVE-2026-40393 describes an out-of-bounds memory access in Mesa’s WebGPU component where “the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.” The CVE record categorizes this as CWE-787 (Out-of-bounds Write) and scores it CVSS v3.1 8.1 (High) with a network attack vector and no user interaction.

ItemSource value
Affected softwaremesa3d / Mesa
ComponentWebGPU
Vulnerability classOut-of-bounds write (CWE-787)
CVE description (condensed)Untrusted allocation sizing used for alloca can cause out-of-bounds memory access
SeverityCVSS v3.1 8.1 (High) (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected versions (CVE record)Mesa versions < 25.3.6, and 26.0.0 (i.e., 26.0.0 with lessThan: 26.0.1)
Upstream references (CVE record)mesa-dev thread and Mesa GitLab merge request

WebGPU is specifically meant to be driven by untrusted content (e.g., application-level inputs routed into GPU workloads), which makes memory-safety defects in this layer operationally important even when exploitation is complex.

Who is impacted

  • Any environment running Mesa in the CVE record’s affected ranges:
    • All Mesa versions before 25.3.6.
    • Mesa 26.0.0 (affected up to, but not including, 26.0.1).
  • Deployments where the Mesa WebGPU path is reachable (i.e., WebGPU is in use by applications or runtimes on top of Mesa).
  • Linux fleets where Mesa is part of the base image/host runtime (desktops, VDI, developer workstations, GPU-enabled CI runners, and container hosts).

What to do now

  • Follow vendor remediation guidance and update to a Mesa build that is not in the CVE record’s affected ranges (the CVE lists < 25.3.6 and 26.0.0 prior to 26.0.1 as affected).
  • Inventory where Mesa is present in production (host OS packages, container base images, and GPU node pools) and confirm exact versions.
  • For risk triage, prioritize systems where WebGPU is enabled/used, since the issue is specifically in the WebGPU component.

Relevant upstream reference links included in the CVE record:

  • https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html
  • https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.