Description
In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()

The command stream parsing loop increments the index variable a second
time when a 64-bit command word is encountered (bit 14 set), but does
not re-check the loop bound before writing the second word:

for (i = 0; i < size / 4; i++) {
bocmds[i] = cmds[0];
if (cmd & 0x4000) {
i++;
bocmds[i] = cmds[1]; /* unchecked */
}
}

The buffer bocmds is backed by a DMA allocation of exactly size bytes
from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1].

When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is
set, bocmds[size/4-1] is written in bounds, i is then incremented to
size/4, and bocmds[size/4] writes four bytes past the end of the
allocation.

Userspace controls both the buffer contents and the size argument via
the ioctl, making this a userspace-triggerable heap out-of-bounds write.

Fix by checking the incremented index against the buffer bound before
the second write and returning -EINVAL if the buffer is too small to
contain the extended command.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap out‑of‑bounds write occurs in the Linux kernel driver ‘accel/ethosu’ when processing 64‑bit commands. The parsing loop increments the index a second time for commands with bit 14 set but does not verify that the new index remains within the buffer bounds before writing the second word. This unchecked write corrupts the kernel‑heap memory backing the buffer, allowing a user to overwrite arbitrary kernel data and potentially gain higher privileges or crash the system.

Affected Systems

The vulnerability affects any Linux kernel that includes the legacy ‘accel/ethosu’ driver before the commit that introduced the bound check. No specific kernel releases or version numbers were listed in the advisory, so all builds that ship with the vulnerable driver are potentially impacted.

Risk and Exploitability

The EPSS score of < 1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA KEV. Kernel OOB writes are typically considered high‑risk because they directly affect kernel memory. The attack vector is local: a regular user with access to the device node (for example, /dev/ethosu or the DRM device) can trigger the ioctl that supplies the command stream. Because the exploit controls both the buffer contents and the size parameter, it can be crafted without privileged input. The lack of a publicly known exploit does not reduce the potential severity of the vulnerability.

Generated by OpenCVE AI on June 26, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest release that includes the fixed commit from the kernel development tree.
  • If a kernel upgrade is not immediately possible, block access to the affected device by setting restrictive ownership or permissions on /dev/ethosu (for example, change the mode to 000 or remove the device node entirely).
  • After applying the fix or blocking the device, monitor system logs for kernel OOPS or OOM incidents that may indicate lingering corruption, and restart affected services or the system if necessary.

Generated by OpenCVE AI on June 26, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References

Thu, 25 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() The command stream parsing loop increments the index variable a second time when a 64-bit command word is encountered (bit 14 set), but does not re-check the loop bound before writing the second word: for (i = 0; i < size / 4; i++) { bocmds[i] = cmds[0]; if (cmd & 0x4000) { i++; bocmds[i] = cmds[1]; /* unchecked */ } } The buffer bocmds is backed by a DMA allocation of exactly size bytes from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1]. When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is set, bocmds[size/4-1] is written in bounds, i is then incremented to size/4, and bocmds[size/4] writes four bytes past the end of the allocation. Userspace controls both the buffer contents and the size argument via the ioctl, making this a userspace-triggerable heap out-of-bounds write. Fix by checking the incremented index against the buffer bound before the second write and returning -EINVAL if the buffer is too small to contain the extended command.
Title accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:50.709Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53173

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53173 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:45:06Z

Weaknesses