Impact
The vulnerability originates from the Ethos‑U NPU driver in the Linux kernel, where an uninitialized 'dma->len' field is set to the sentinel value U64_MAX (0xffffffffffffffff). If userspace omits the command that normally sets this length, arithmetic performed on U64_MAX wraps to a small number. The driver subsequently fails to detect this wrapped value, allows a DMA operation that uses stale physical addresses, and bypasses bounds checking in the job execution code. This flaw, a CWE-190 integer overflow, corrupts kernel memory and allows an attacker to achieve arbitrary kernel code execution, effectively elevating local privileges.
Affected Systems
All Linux kernel releases that ship with the Ethos‑U NPU driver and have not incorporated the patched code are vulnerable. The driver is part of the kernel source tree and is enabled on SoCs that include an Ethos‑U NPU. No specific kernel version numbers are given, so any unreleased or unpatched build should be considered at risk until the fix is applied.
Risk and Exploitability
The CVSS score of 8.8 reflects a high severity that compromises confidentiality, integrity, and availability at the kernel level. The EPSS score is less than 1%, indicating a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires local access to the NPU driver; an attacker must be able to send DMA start commands without setting a length. Based on the description, the attack vector is inferred to be local. Successful exploitation would enable arbitrary kernel code execution, thereby giving the attacker full system privileges.
OpenCVE Enrichment