Description
In the Linux kernel, the following vulnerability has been resolved:

accel/ivpu: Fix signed integer truncation in IPC receive

Fix potential buffer overflow where firmware-supplied data_size is cast
to signed int before being used in min_t(). Large unsigned values
(>= 0x80000000) become negative, causing unsigned wraparound and
oversized memcpy operations that can overflow the stack buffer.

Change min_t(int, ...) to min() as both values are unsigned and can be
handled by min() without explicit cast.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Software in the Linux kernel within the accel/ivpu module contains a signed integer truncation bug in its IPC receive routine; a firmware‑supplied before being passed to min_t(), converting large unsigned values into negative numbers. The negative value causes unsigned wraparound in a subsequent min() operation, leading to an oversized memcpy that overflows a stack buffer. This flaw permits an attacker capable of controlling the data_size parameter to corrupt stack memory, potentially enabling arbitrary code execution or other kernel‑level damage.

Affected Systems

Any Linux system running a kernel that includes the accel/ivpu IPC interface before the patch commit 2821bf2b79e47f87e1dbdd9d25c78240965a97d6. No specific kernel version numbers were supplied; therefore, all kernels containing the vulnerable accel/ivpu code are considered affected.

Risk and Exploitability

The vulnerability is a kernel‑level stack buffer overflow. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, indicating no known public exploits yet. Nonetheless, the high severity of a kernel overflow and the fact that the flaw requires only local influence on the IPC interface—typically accessible to firmware or trusted processes—make the risk significant. An attacker who can supply a crafted data_size value could corrupt kernel memory, leading to privilege escalation or arbitrary code execution.

Generated by OpenCVE AI on June 25, 2026 at 11:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a kernel update that incorporates commit 2821bf2b79e47f87e1dbdd9d25c78240965a97d6 or later.
  • If an immediate update is infeasible, restrict or block access to the IVPU IPC interface, preventing untrusted firmware from invoking the vulnerable routine.
  • Ensure that any firmware interacting with the kernel is authenticated and verified, and monitor for unexpected IPC requests that may signal exploitation attempts.

Generated by OpenCVE AI on June 25, 2026 at 11:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix signed integer truncation in IPC receive Fix potential buffer overflow where firmware-supplied data_size is cast to signed int before being used in min_t(). Large unsigned values (>= 0x80000000) become negative, causing unsigned wraparound and oversized memcpy operations that can overflow the stack buffer. Change min_t(int, ...) to min() as both values are unsigned and can be handled by min() without explicit cast.
Title accel/ivpu: Fix signed integer truncation in IPC receive
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:10.287Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53202

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:30:06Z

Weaknesses
  • CWE-680

    Integer Overflow to Buffer Overflow