Description
In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix IFM region index out-of-bounds in command stream parser

NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving
a maximum value of 127. However region_size[] and output_region[] in
struct ethosu_validated_cmdstream_info are both sized to
NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].

Every other region assignment in the same switch uses param & 0x7:
NPU_SET_OFM_REGION: st.ofm.region = param & 0x7;
NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7;
NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;
NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7;

The 0x7f mask on IFM is inconsistent and appears to be a typo.

feat_matrix_length() and calc_sizes() use the region index directly
as an array subscript into the kzalloc'd info struct:
info->region_size[fm->region] = max(...);

A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes
a write up to 127*8 = 1016 bytes past the start of region_size[],
corrupting adjacent kernel heap data.

Fix by applying the same & 0x7 mask used by all other region
assignments.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from the Ethos‑U NPU command stream parser incorrectly masking the IFM region index with 0x7f, allowing values up to 127 instead of the intended 0–7 range. The region_size and output_region arrays in the driver are sized for eight elements, so a userspace caller supplying a high IFM index can write up to 1016 bytes beyond the array bounds, corrupting adjacent kernel heap data. This buffer overflow can cause arbitrary memory corruption in the kernel, potentially destabilizing the system or tampering with kernel data structures. The description does not specify whether this could result in privilege escalation or denial‑of‑service, so only the presence of memory corruption is documented.

Affected Systems

Any Linux kernel release that contains the accel/ethosu driver code path before the patch commit is affected. No explicit kernel version list is provided, so all kernels with the vulnerable Ethos‑U command stream parser that have code are potentially at risk.

Risk and Exploitability

The vulnerability is local: an attacker must be able to invoke the NPU ioctl or otherwise provide a maliciousSS score is 7.8. The EPSS score is < 1% and the issue is not listed in the CISA KEV catalog, indicating no publicly known exploits at this time. The bug can cause kernel heap corruption, and the severity is high due to the kernel context. An attacker with local access could construct a malformed command stream to trigger the overflow and corrupt kernel memory; however, exploitation to gain higher privileges or crash the system is not confirmed in the description.

Generated by OpenCVE AI on June 28, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel update that includes the Ethos‑U patch fixing the IFM region masking to & 0x7. If an official update is unavailable, apply the relevant patch manually to the kernel source and rebuild.
  • Enable kernel memory protection features such as stack canaries, SMAP/SMEP, and address space layout randomization (KASLR) to mitigate the impact of any residual buffer overflow.
  • If a patch or update cannot be applied immediately and the Ethos‑U driver is not essential, restrict NPU device node so that no malicious command stream can be submitted.

Generated by OpenCVE AI on June 28, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix IFM region index out-of-bounds in command stream parser NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving a maximum value of 127. However region_size[] and output_region[] in struct ethosu_validated_cmdstream_info are both sized to NPU_BASEP_REGION_MAX (8), giving valid indices [0..7]. Every other region assignment in the same switch uses param & 0x7: NPU_SET_OFM_REGION: st.ofm.region = param & 0x7; NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7; NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7; NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7; The 0x7f mask on IFM is inconsistent and appears to be a typo. feat_matrix_length() and calc_sizes() use the region index directly as an array subscript into the kzalloc'd info struct: info->region_size[fm->region] = max(...); A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes a write up to 127*8 = 1016 bytes past the start of region_size[], corrupting adjacent kernel heap data. Fix by applying the same & 0x7 mask used by all other region assignments.
Title accel/ethosu: fix IFM region index out-of-bounds in command stream parser
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:45.157Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53172

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53172 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses
  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input