CVE-2026-53170
Received Received - Intake
Buffer Overflow in Linux Kernel Ethosu Accelerator

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX. In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses. Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53170
EUVD
EUVD-2026-39261
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's accel/ethosu driver, where DMA commands with uninitialized length values are not properly rejected.

The command state is initialized with a length value set to U64_MAX (a sentinel value indicating missing setup). If userspace omits setting this length and issues a DMA start command, the length remains at U64_MAX.

Due to arithmetic wrapping, the length check can incorrectly pass, causing the bounds check to be bypassed. This allows the hardware to execute DMA operations using stale physical addresses, potentially leading to unintended memory access.

The fix involves adding a check for U64_MAX at the start of the length calculation function to detect uninitialized fields before any arithmetic is performed.

Impact Analysis

This vulnerability can allow hardware to perform DMA operations with stale or incorrect physical addresses due to bypassed bounds checks.

Such behavior could lead to unauthorized memory access, data corruption, or system instability, depending on how the hardware and software interact.

Mitigation Strategies

The vulnerability is resolved by a fix in the Linux kernel that adds a check for U64_MAX at the start of dma_length() to detect uninitialized DMA length fields before any arithmetic is performed.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart