CVE-2026-40393: Critical severity Mesa Mesa vulnerability
Published Apr 12, 2026
·Updated
In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.
Affected Software
4 affected componentsFixes available
Mesa Mesa<25.3.6, <26.0.1
Mesa3d Mesa<25.3.6
Mesa3d Mesa=26.0.0
Microsoft azl3 mesa 24.0.1-6
Event History
Apr 12, 2026
CVE Published
via MITRE·06:49 PM
Data Sourced
via MITRE·06:49 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:16 PM
DescriptionSeverityWeaknessAffected Software
Apr 14, 2026
Data Sourced
via Microsoft·08:01 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·08:01 AM
Affected Software
Updated
via Microsoft·08:01 AM
Severity
Frequently Asked Questions
1
What is the severity of CVE-2026-40393?
CVE-2026-40393 has a high severity due to the potential for out-of-bounds memory access.
2
How do I fix CVE-2026-40393?
To fix CVE-2026-40393, upgrade to Mesa version 25.3.6 or 26.0.1 or later.
3
What software is affected by CVE-2026-40393?
CVE-2026-40393 affects Mesa versions prior to 25.3.6 and 26.0.1.
4
What type of vulnerability is CVE-2026-40393?
CVE-2026-40393 is an out-of-bounds memory access vulnerability related to WebGPU.
5
Who is the vendor for CVE-2026-40393?
The vendor for CVE-2026-40393 is Mesa3D.