Description
In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix arithmetic issues in dma_length()

dma_length() derives DMA region usage from command stream values and
updates region_size[]:

len = ((len + stride[0]) * size0 + stride[1]) * size1
region_size[region] = max(..., len + dma->offset)

Several arithmetic issues can corrupt the derived region size:

- signed stride values may underflow when added to len
- intermediate multiplications may overflow
- len + dma->offset may overflow during region_size updates
- dma_length() error returns were not validated by the caller

region_size[] is later used by ethosu_job.c to validate command stream
accesses against GEM buffer sizes. Arithmetic wraparound can therefore
under-report region usage and bypass the bounds validation.

Fix by validating signed additions, using overflow helpers for
multiplications and offset updates, and propagating dma_length()
failures to the caller.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is in the Linux kernel’s accel/ethosu driver, where the dma_length() function calculates DMA region sizes from command‑stream parameters using arithmetic that can underflow, overflow, or neglect the DMA offset. Because these errors leave the region_size array understated, subsequent bounds checks in ethosu_job.c can be bypassed, allowing a supplied command stream to read or write beyond the intended buffer. The vulnerability exposes a classic integer overflow (CWE‑190) that can lead to memory corruption, crashes or arbitrary code execution within kernel context.

Affected Systems

Any Linux kernel installation that includes the accel/ethosu driver and contains the arithmetic bug is vulnerable. The patch was added in the upstream kernel after the idiosyncratic commits referenced, but version ranges are not explicitly documented – users should ensure their kernel build reflects the fixed code.

Risk and Exploitability

EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog, so public exploitation risk is uncertain. The defect lies in kernel code, implying that an attacker would need local or privileged access to supply a malicious command stream to the driver. If successfully triggered, the corrupted bounds checks could lead to kernel memory corruption, potentially compromising system integrity or granting elevated privileges. The severity is high because kernel memory corruption is a critical failure point, even though a CVSS score is not provided.

Generated by OpenCVE AI on June 25, 2026 at 11:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the dma_length() patch. Install the latest stable release that incorporates the commit referenced in the advisory.
  • Reboot the system so the updated kernel and driver are loaded.
  • If the ETHOSU driver is not required, disable or unbind it to eliminate the vulnerable code path; otherwise, restrict privileged access to components that interact with the driver.

Generated by OpenCVE AI on June 25, 2026 at 11:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dma_length() dma_length() derives DMA region usage from command stream values and updates region_size[]: len = ((len + stride[0]) * size0 + stride[1]) * size1 region_size[region] = max(..., len + dma->offset) Several arithmetic issues can corrupt the derived region size: - signed stride values may underflow when added to len - intermediate multiplications may overflow - len + dma->offset may overflow during region_size updates - dma_length() error returns were not validated by the caller region_size[] is later used by ethosu_job.c to validate command stream accesses against GEM buffer sizes. Arithmetic wraparound can therefore under-report region usage and bypass the bounds validation. Fix by validating signed additions, using overflow helpers for multiplications and offset updates, and propagating dma_length() failures to the caller.
Title accel/ethosu: fix arithmetic issues in dma_length()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:49.392Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53171

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:45:02Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound