CVE-2026-53169
Received Received - Intake
Ethosu NPU_OP_RESIZE Command Rejection Flaw

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject NPU_OP_RESIZE commands from userspace NPU_OP_RESIZE is a U85-only command that the driver does not yet implement. The existing WARN_ON(1) placeholder fires unconditionally whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, causing unbounded kernel log spam. If panic_on_warn is set the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive. Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl rejects the command before it reaches hardware.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53169
EUVD
EUVD-2026-39260
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation involves updating the Linux kernel to a version where the vulnerability is fixed.

The fix replaces the WARN_ON(1) with an explicit -EINVAL return, preventing the ioctl from reaching hardware and stopping kernel log spam and potential denial-of-service.

If updating is not immediately possible, consider restricting unprivileged users' access to the DRM device to prevent exploitation.

Executive Summary

This vulnerability exists in the Linux kernel's accel/ethosu driver, where it improperly handles the NPU_OP_RESIZE command from userspace. This command is specific to the U85 hardware but is not yet implemented by the driver. When userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, the driver triggers a WARN_ON(1) placeholder unconditionally, which causes excessive kernel log spam.

If the kernel is configured with panic_on_warn enabled, this warning causes the kernel to panic, resulting in a denial-of-service condition. This means any unprivileged user with access to the DRM device can exploit this to crash the system.

The fix replaces the WARN_ON(1) with an explicit error return (-EINVAL), so the command is rejected before reaching the hardware, preventing the kernel panic and log spam.

Impact Analysis

This vulnerability can be exploited by any unprivileged user who has access to the DRM device to cause a denial-of-service (DoS) attack by triggering a kernel panic.

The impact is that the system can become unstable or crash unexpectedly, leading to downtime and potential loss of availability of services running on the affected Linux system.

Detection Guidance

This vulnerability can be detected by monitoring kernel logs for repeated WARN_ON(1) messages triggered by userspace submitting the NPU_OP_RESIZE command via DRM_IOCTL_ETHOSU_GEM_CREATE.

You can use commands like 'dmesg' or 'journalctl -k' to check for kernel log spam related to this warning.

  • dmesg | grep WARN_ON
  • journalctl -k | grep WARN_ON

Additionally, monitoring for kernel panics if panic_on_warn is enabled can indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53169. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart