CVE-2026-53170
Analyzed Analyzed - Analysis Complete

Buffer Overflow in Linux Kernel Ethosu Accelerator

Vulnerability report for CVE-2026-53170, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-06

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX. In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses. Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-06
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's accel/ethosu driver, where DMA commands with uninitialized length values are not properly rejected.

The command state is initialized with a length value set to U64_MAX (a sentinel value indicating missing setup). If userspace omits setting this length and issues a DMA start command, the length remains at U64_MAX.

Due to arithmetic wrapping, the length check can incorrectly pass, causing the bounds check to be bypassed. This allows the hardware to execute DMA operations using stale physical addresses, potentially leading to unintended memory access.

The fix involves adding a check for U64_MAX at the start of the length calculation function to detect uninitialized fields before any arithmetic is performed.

Impact Analysis

This vulnerability can allow hardware to perform DMA operations with stale or incorrect physical addresses due to bypassed bounds checks.

Such behavior could lead to unauthorized memory access, data corruption, or system instability, depending on how the hardware and software interact.

Mitigation Strategies

The vulnerability is resolved by a fix in the Linux kernel that adds a check for U64_MAX at the start of dma_length() to detect uninitialized DMA length fields before any arithmetic is performed.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart