CVE-2026-53171
Received Received - Intake
Integer Overflow in Linux Kernel Ethosu DMA Length Calculation

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dma_length() dma_length() derives DMA region usage from command stream values and updates region_size[]: len = ((len + stride[0]) * size0 + stride[1]) * size1 region_size[region] = max(..., len + dma->offset) Several arithmetic issues can corrupt the derived region size: - signed stride values may underflow when added to len - intermediate multiplications may overflow - len + dma->offset may overflow during region_size updates - dma_length() error returns were not validated by the caller region_size[] is later used by ethosu_job.c to validate command stream accesses against GEM buffer sizes. Arithmetic wraparound can therefore under-report region usage and bypass the bounds validation. Fix by validating signed additions, using overflow helpers for multiplications and offset updates, and propagating dma_length() failures to the caller.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53171
EUVD
EUVD-2026-39262
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's accel/ethosu component, specifically in the dma_length() function. The function calculates DMA region usage based on command stream values and updates region sizes. However, several arithmetic issues occur: signed stride values can underflow, intermediate multiplications can overflow, and additions involving offsets can overflow. Additionally, dma_length() error returns were not properly validated by the caller.

These arithmetic errors can corrupt the calculated region size, causing the system to under-report the actual DMA region usage. Since region_size[] is used later to validate command stream accesses against buffer sizes, this under-reporting can allow bounds validation to be bypassed, potentially leading to unsafe memory accesses.

The fix involved validating signed additions, using overflow helpers for multiplications and offset updates, and ensuring dma_length() failures are properly propagated to the caller.

Impact Analysis

This vulnerability can lead to bypassing bounds validation in the Linux kernel's ethosu driver. Because the region size calculations can be corrupted by arithmetic errors, the system may under-report memory usage, allowing command streams to access memory outside of their intended buffers.

Such out-of-bounds memory accesses can cause data corruption, system instability, or potentially allow an attacker to execute arbitrary code or escalate privileges, depending on how the affected component is used.

Mitigation Strategies

The vulnerability is fixed by validating signed additions, using overflow helpers for multiplications and offset updates, and propagating dma_length() failures to the caller in the Linux kernel's accel/ethosu component.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart