Impact
The Linux kernel’s accel/ethosu driver contains an arithmetic error in the dma_length() routine that calculates DMA region sizes from command stream data. The calculation uses signed values and basic arithmetic that can underflow or overflow, and the code does not validate the result. The resulting region_size array is later used to enforce bounds on command‑stream accesses against GEM buffer sizes. If the calculated size is smaller than it should be, the bounds check can be bypassed, allowing an attacker to read or write beyond the intended buffer and corrupt kernel memory. This integer overflow (CWE‑190) could lead to privilege escalation.
Affected Systems
Any Linux kernel version that includes the accel/ethosu driver and has not yet incorporated the commit that fixes the dma_length() routine is vulnerable. The vulnerability is tied to the Linux kernel (vendor: Linux).
Risk and Exploitability
The vulnerability has a CVSS score of 8.8, indicating a high severity level. The EPSS score is less than 1%, reflecting a low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Exploitation would likely require local or privileged access to the ETHOSU driver; by supplying a malicious command stream, an attacker could bypass bounds checks, corrupt kernel memory, and potentially gain higher privileges.
OpenCVE Enrichment