Description
In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix arithmetic issues in dma_length()

dma_length() derives DMA region usage from command stream values and
updates region_size[]:

len = ((len + stride[0]) * size0 + stride[1]) * size1
region_size[region] = max(..., len + dma->offset)

Several arithmetic issues can corrupt the derived region size:

- signed stride values may underflow when added to len
- intermediate multiplications may overflow
- len + dma->offset may overflow during region_size updates
- dma_length() error returns were not validated by the caller

region_size[] is later used by ethosu_job.c to validate command stream
accesses against GEM buffer sizes. Arithmetic wraparound can therefore
under-report region usage and bypass the bounds validation.

Fix by validating signed additions, using overflow helpers for
multiplications and offset updates, and propagating dma_length()
failures to the caller.
Published: 2026-06-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s accel/ethosu driver contains an arithmetic error in the dma_length() routine that calculates DMA region sizes from command stream data. The calculation uses signed values and basic arithmetic that can underflow or overflow, and the code does not validate the result. The resulting region_size array is later used to enforce bounds on command‑stream accesses against GEM buffer sizes. If the calculated size is smaller than it should be, the bounds check can be bypassed, allowing an attacker to read or write beyond the intended buffer and corrupt kernel memory. This integer overflow (CWE‑190) could lead to privilege escalation.

Affected Systems

Any Linux kernel version that includes the accel/ethosu driver and has not yet incorporated the commit that fixes the dma_length() routine is vulnerable. The vulnerability is tied to the Linux kernel (vendor: Linux).

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating a high severity level. The EPSS score is less than 1%, reflecting a low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Exploitation would likely require local or privileged access to the ETHOSU driver; by supplying a malicious command stream, an attacker could bypass bounds checks, corrupt kernel memory, and potentially gain higher privileges.

Generated by OpenCVE AI on June 28, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that includes the accel/ethosu dma_length() fix (commit 6bb73845d1855ceaf50e397175e5979a7bdf69bc).
  • Reboot the system so the updated kernel and driver are loaded.
  • If the ETHOSU driver is not required for your environment, disable or remove it to eliminate the vulnerable code path.

Generated by OpenCVE AI on June 28, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000


Thu, 25 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dma_length() dma_length() derives DMA region usage from command stream values and updates region_size[]: len = ((len + stride[0]) * size0 + stride[1]) * size1 region_size[region] = max(..., len + dma->offset) Several arithmetic issues can corrupt the derived region size: - signed stride values may underflow when added to len - intermediate multiplications may overflow - len + dma->offset may overflow during region_size updates - dma_length() error returns were not validated by the caller region_size[] is later used by ethosu_job.c to validate command stream accesses against GEM buffer sizes. Arithmetic wraparound can therefore under-report region usage and bypass the bounds validation. Fix by validating signed additions, using overflow helpers for multiplications and offset updates, and propagating dma_length() failures to the caller.
Title accel/ethosu: fix arithmetic issues in dma_length()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:43.532Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53171

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53171 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:00:12Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound