Skip to main content

Linux Kernel CVE-2026-53170

| EUVDEUVD-2026-39261 HIGH
Use of Uninitialized Resource (CWE-908)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8pg6-rv6x-wjc2
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Local device access with low privilege (PR:L) and no user interaction; DMA to arbitrary physical memory crosses the kernel/process boundary (S:C) with full read/write/availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 28, 2026 - 09:19 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: reject DMA commands with uninitialized length

cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX.

In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses.

Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.

AnalysisAI

Local privilege escalation and host memory compromise is possible in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) because DMA commands with an uninitialized length sentinel (U64_MAX) bypass the driver's bounds checks. A local user permitted to submit jobs to the NPU can omit the NPU_SET_DMA0_LEN command before NPU_OP_DMA_START, triggering an integer wrap in dma_length() that returns 0, zeroing region_size[] and letting the hardware execute DMA against stale physical addresses. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to NPU device
Delivery
Build DMA command stream omitting NPU_SET_DMA0_LEN
Exploit
Issue NPU_OP_DMA_START with len=U64_MAX
Execution
dma_length() wraps to 0, bounds check bypassed
Persist
Hardware DMA to stale physical addresses
Impact
Out-of-bounds memory read/write and privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires local access on a device whose kernel has the drivers/accel/ethosu (Arm Ethos-U NPU) driver loaded and exposes the accelerator device node to the attacker, plus the privilege to submit NPU command streams (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but coherent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or a compromised low-privileged service) with access to the Ethos-U accel device crafts a command stream that issues NPU_OP_DMA_START without first sending NPU_SET_DMA0_LEN, leaving dma->len at U64_MAX. The wrap in dma_length() yields a length of 0, the bounds check is skipped, and the NPU DMA engine transfers data to/from stale physical addresses, enabling out-of-bounds reads or writes of host memory and potential privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed Linux kernel - stable 7.0.13 or 7.1 per EUVD, or rebuild with the upstream fix commits d9d021218162b6c4fe0bdf42b2b340f1aae23a12 and fb25c76a820ca8a547aa478bfb503da0a11494ab (https://git.kernel.org/stable/c/d9d021218162b6c4fe0bdf42b2b340f1aae23a12 and https://git.kernel.org/stable/c/fb25c76a820ca8a547aa478bfb503da0a11494ab); the fix adds a U64_MAX short-circuit at the start of dma_length(). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all production systems with Arm Ethos-U NPU drivers enabled and immediately restrict NPU job submission permissions to only essential, trusted services and accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy