CVE-2026-53173
Received Received - Intake
Heap OOB Write in Linux Kernel Ethosu Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() The command stream parsing loop increments the index variable a second time when a 64-bit command word is encountered (bit 14 set), but does not re-check the loop bound before writing the second word: for (i = 0; i < size / 4; i++) { bocmds[i] = cmds[0]; if (cmd & 0x4000) { i++; bocmds[i] = cmds[1]; /* unchecked */ } } The buffer bocmds is backed by a DMA allocation of exactly size bytes from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1]. When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is set, bocmds[size/4-1] is written in bounds, i is then incremented to size/4, and bocmds[size/4] writes four bytes past the end of the allocation. Userspace controls both the buffer contents and the size argument via the ioctl, making this a userspace-triggerable heap out-of-bounds write. Fix by checking the incremented index against the buffer bound before the second write and returning -EINVAL if the buffer is too small to contain the extended command.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53173
EUVD
EUVD-2026-39264
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's accel/ethosu component, specifically in the ethosu_gem_cmdstream_copy_and_validate() function. The issue arises because the command stream parsing loop increments an index variable twice when a 64-bit command word is encountered, but it does not check if the index is still within the buffer bounds before writing the second word.

As a result, when the index reaches the last valid position, the code writes four bytes past the end of the allocated buffer, causing an out-of-bounds (OOB) write. Since userspace controls both the buffer contents and its size via an ioctl call, this vulnerability can be triggered from userspace, leading to a heap out-of-bounds write.

The fix involves adding a check to ensure the incremented index does not exceed the buffer bounds before performing the second write, returning an error if the buffer is too small.

Impact Analysis

This vulnerability can lead to a heap out-of-bounds write in the Linux kernel, which may cause memory corruption. Since userspace can trigger this condition, it could potentially be exploited to crash the system, cause denial of service, or possibly execute arbitrary code with kernel privileges.

Mitigation Strategies

The vulnerability is fixed by adding a check on the incremented index against the buffer bound before performing the second write in the command stream parsing loop. To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Since the issue is triggered by userspace controlling the buffer contents and size via an ioctl, restricting or monitoring access to the relevant ioctl interface can reduce risk until the kernel is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart