Description
In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix IFM region index out-of-bounds in command stream parser

NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving
a maximum value of 127. However region_size[] and output_region[] in
struct ethosu_validated_cmdstream_info are both sized to
NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].

Every other region assignment in the same switch uses param & 0x7:
NPU_SET_OFM_REGION: st.ofm.region = param & 0x7;
NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7;
NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;
NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7;

The 0x7f mask on IFM is inconsistent and appears to be a typo.

feat_matrix_length() and calc_sizes() use the region index directly
as an array subscript into the kzalloc'd info struct:
info->region_size[fm->region] = max(...);

A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes
a write up to 127*8 = 1016 bytes past the start of region_size[],
corrupting adjacent kernel heap data.

Fix by applying the same & 0x7 mask used by all other region
assignments.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The patch indicates that the Ethos-U NPU command stream parser incorrectly masked an IFM region index, allowing values up to 127 instead of the intended 0–7 range. A userspace caller can supply a command stream that writes beyond the allocated `region_size` array, corrupting adjacent kernel heap data. This buffer overflow could lead to arbitrary memory corruption, potentially enabling privilege escalation or a denial‑of‑service if the kernel crashes.

Affected Systems

The affected product is the Linux kernel on any distribution that includes the Ethos‑U driver before the patch commit. No specific kernel versions or release dates are listed, so all kernel releases that contain the vulnerable `accel/ethosu` code path are potentially affected until the patch is applied.

Risk and Exploitability

The vulnerability is local and requires a user or process that can invoke the NPU ioctl or related userspace interface. The EPSS score is not available, but the absence from the CISA KEV list indicates no publicly known exploits at this time. The CVSS can be inferred as high due to local privilege escalation potential and the kernel matter. Attackers with local access could craft a malicious command stream to trigger the buffer overflow and corrupt kernel memory.

Generated by OpenCVE AI on June 25, 2026 at 10:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that changes the IFM region masking to & 0x7 as defined for all other regions.
  • Ensure the kernel is rebuilt with stack protection and other memory‑corruption mitigations (e.g., canary, SMAP, SMEP).
  • If a recent kernel update is not yet available, restrict or disable the userspace interface that sends NPU command streams, or use a custom patch to drop any IFM region index values greater than 7.

Generated by OpenCVE AI on June 25, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix IFM region index out-of-bounds in command stream parser NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving a maximum value of 127. However region_size[] and output_region[] in struct ethosu_validated_cmdstream_info are both sized to NPU_BASEP_REGION_MAX (8), giving valid indices [0..7]. Every other region assignment in the same switch uses param & 0x7: NPU_SET_OFM_REGION: st.ofm.region = param & 0x7; NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7; NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7; NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7; The 0x7f mask on IFM is inconsistent and appears to be a typo. feat_matrix_length() and calc_sizes() use the region index directly as an array subscript into the kzalloc'd info struct: info->region_size[fm->region] = max(...); A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes a write up to 127*8 = 1016 bytes past the start of region_size[], corrupting adjacent kernel heap data. Fix by applying the same & 0x7 mask used by all other region assignments.
Title accel/ethosu: fix IFM region index out-of-bounds in command stream parser
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:50.056Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53172

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer