CVE-2026-53169 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: reject NPU_OP_RESIZE commands from userspace

NPU_OP_RESIZE is a U85-only command that the driver does not yet
implement. The existing WARN_ON(1) placeholder fires unconditionally
whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE,
causing unbounded kernel log spam.

If panic_on_warn is set the kernel panics, giving any unprivileged user
with access to the DRM device a trivial denial-of-service primitive.

Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl
rejects the command before it reaches hardware.

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A command intended only for privileged operation—NPU_OP_RESIZE—is accepted by the Linux kernel’s Ethos‑U driver even though it is not implemented. The driver uses a placeholder that unconditionally triggers a WARN_ON(1), leading to unbounded kernel log messages. If the kernel is configured with panic_on_warn, this extra warning causes the kernel to panic. The result is a trivial denial‑of‑service capability for any user able to invoke the DRM ioctl that sends this command.

Affected Systems

Linux kernel implementations that include the Accel/Ethos‑U driver. No specific vendor product or version notes are provided beyond the generic Linux kernel designation.

Risk and Exploitability

The vulnerability relies on a privileged device interface (DRM_IOCTL_ETHOSU_GEM_CREATE) that a non‑root user can access if authorized to interact with the DRM subsystem. The exploit is local and does not require elevated privileges. Although EPSS and CVSS metrics are not available, the kernel panic and widespread log flooding pose a measurable denial‑of‑service risk. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. The attack vector is local user access to the DRM device and is trivial to achieve for anyone with that access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b`	affected	< 70090a32f56a4589e7e860e0f9a8fbe4417df0a1
`5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b`	affected	< ef911805d86a05363d3ec2fa9835a41def83bb7e

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that replaces the WARN_ON(1) placeholder with an explicit -EINVAL return for NPU_OP_RESIZE commands
Test that subsequent attempts to invoke DRM_IOCTL_ETHOSU_GEM_CREATE with the NPU_OP_RESIZE command now return -EINVAL and do not produce log spam or a panic
If a kernel update is not immediately possible, block unprivileged access to the DRM device or disable the Ethos‑U driver until the patch is applied

Generated by OpenCVE AI on June 25, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/70090a32f56a4589e7e860e0f9a8fbe4417df0a1
https://git.kernel.org/stable/c/ef911805d86a05363d3ec2fa9835a41def83bb7e

History

Thu, 25 Jun 2026 11:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject NPU_OP_RESIZE commands from userspace NPU_OP_RESIZE is a U85-only command that the driver does not yet implement. The existing WARN_ON(1) placeholder fires unconditionally whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, causing unbounded kernel log spam. If panic_on_warn is set the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive. Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl rejects the command before it reaches hardware.
Title		accel/ethosu: reject NPU_OP_RESIZE commands from userspace
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/70090a32f56a4589e7e860e0f9a8fbe4417df0a1 https://git.kernel.org/stable/c/ef911805d86a05363d3ec2fa9835a41def83bb7e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:48.068Z

Updated: 2026-06-25T08:38:48.068Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53169

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T10:45:16Z

Weaknesses

CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object