CVE-2026-53170 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: reject DMA commands with uninitialized length

cmd_state_init() initializes the command state with memset(0xff),
leaving dma->len at U64_MAX to signal missing setup. The only setter
is NPU_SET_DMA0_LEN; if userspace omits this command and issues
NPU_OP_DMA_START, dma->len remains U64_MAX.

In dma_length(), a positive stride added to U64_MAX wraps to a small
value. With size0 == 1, check_mul_overflow() does not trigger and
dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check
then passes, region_size[] stays 0, and the bounds check in
ethosu_job.c is bypassed, allowing hardware to execute DMA with stale
physical addresses.

Fix by checking for U64_MAX at the start of dma_length() before any
arithmetic, consistent with the sentinel value used throughout the
driver to detect uninitialized fields.

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux kernel’s Ethos‑U (NPU) driver allows a user to issue DMA start commands with an uninitialized length field. The driver uses a sentinel value of U64_MAX to mark missing length setup, but arithmetic on this sentinel can wrap to a small value, causing bounds checks to be bypassed. The hardware then executes a DMA transfer using stale physical addresses, enabling a kernel memory read or write that can be leveraged for privilege escalation.

Affected Systems

All Linux kernel releases that include the Ethos‑U NPU driver and that have not yet been upgraded to the patched version are affected. The vulnerability is present in the default kernel configuration and is not limited to specific versions according to the available data.

Risk and Exploitability

The vulnerability can be exploited by a local user who can send NPU commands to the kernel. There is no EPSS score available, and the issue is not listed in the CISA KEV catalog, but the flaw provides direct kernel memory corruption, giving an attacker the potential for arbitrary code execution with elevated privileges. The attacker would need the ability to interact with the Ethos‑U driver, so a local or privilege‑escalated user is the likely entry point.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b`	affected	< fb25c76a820ca8a547aa478bfb503da0a11494ab
`5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b`	affected	< d9d021218162b6c4fe0bdf42b2b340f1aae23a12

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that contains the CVE-2026-53170 fix.
If an immediate kernel upgrade is not possible, rebuild or reconfigure the system to exclude the Ethos‑U driver or set the driver’s load option to blacklist it, preventing any DMA start operations.
As a temporary measure, configure device permissions or kernel module parameters to disallow NPU_OP_DMA_START from user space until a proper patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 10:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/d9d021218162b6c4fe0bdf42b2b340f1aae23a12
https://git.kernel.org/stable/c/fb25c76a820ca8a547aa478bfb503da0a11494ab

History

Thu, 25 Jun 2026 11:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX. In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses. Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.
Title		accel/ethosu: reject DMA commands with uninitialized length
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/d9d021218162b6c4fe0bdf42b2b340f1aae23a12 https://git.kernel.org/stable/c/fb25c76a820ca8a547aa478bfb503da0a11494ab

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:48.728Z

Updated: 2026-06-25T08:38:48.728Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53170

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T10:45:16Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object