CVE-2026-53172
Received Received - Intake
Out-of-Bounds Write in Linux Kernel Ethosu NPU Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix IFM region index out-of-bounds in command stream parser NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving a maximum value of 127. However region_size[] and output_region[] in struct ethosu_validated_cmdstream_info are both sized to NPU_BASEP_REGION_MAX (8), giving valid indices [0..7]. Every other region assignment in the same switch uses param & 0x7: NPU_SET_OFM_REGION: st.ofm.region = param & 0x7; NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7; NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7; NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7; The 0x7f mask on IFM is inconsistent and appears to be a typo. feat_matrix_length() and calc_sizes() use the region index directly as an array subscript into the kzalloc'd info struct: info->region_size[fm->region] = max(...); A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes a write up to 127*8 = 1016 bytes past the start of region_size[], corrupting adjacent kernel heap data. Fix by applying the same & 0x7 mask used by all other region assignments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53172
EUVD
EUVD-2026-39263
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's accel/ethosu component, specifically in the command stream parser for the NPU_SET_IFM_REGION operation.

The issue arises because the region index is extracted using a mask of 0x7f (allowing values up to 127), but the arrays region_size[] and output_region[] are only sized to hold 8 elements (indices 0 to 7).

This inconsistency means that if a userspace caller supplies a parameter greater than 7, it causes the kernel to write beyond the bounds of these arrays, corrupting adjacent kernel heap memory.

The root cause is a likely typo where the mask 0x7f was used instead of 0x7, which is used consistently in other similar region assignments.

The fix involves applying the correct mask (0x7) to ensure the region index stays within valid bounds.

Impact Analysis

This vulnerability can lead to kernel heap memory corruption when a malicious or malformed userspace input supplies an out-of-bounds region index.

Heap corruption in the kernel can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Therefore, exploitation of this vulnerability could compromise the security and reliability of the affected Linux system.

Mitigation Strategies

The vulnerability is fixed by correcting the mask applied to the region index in the Linux kernel's ethosu command stream parser from 0x7f to 0x7, ensuring that out-of-bounds writes do not occur.

Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart