Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local device access with low privilege (PR:L) and no user interaction; DMA to arbitrary physical memory crosses the kernel/process boundary (S:C) with full read/write/availability impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
accel/ethosu: reject DMA commands with uninitialized length
cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX.
In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses.
Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.
AnalysisAI
Local privilege escalation and host memory compromise is possible in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) because DMA commands with an uninitialized length sentinel (U64_MAX) bypass the driver's bounds checks. A local user permitted to submit jobs to the NPU can omit the NPU_SET_DMA0_LEN command before NPU_OP_DMA_START, triggering an integer wrap in dma_length() that returns 0, zeroing region_size[] and letting the hardware execute DMA against stale physical addresses. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access on a device whose kernel has the drivers/accel/ethosu (Arm Ethos-U NPU) driver loaded and exposes the accelerator device node to the attacker, plus the privilege to submit NPU command streams (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but coherent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user (or a compromised low-privileged service) with access to the Ethos-U accel device crafts a command stream that issues NPU_OP_DMA_START without first sending NPU_SET_DMA0_LEN, leaving dma->len at U64_MAX. The wrap in dma_length() yields a length of 0, the bounds check is skipped, and the NPU DMA engine transfers data to/from stale physical addresses, enabling out-of-bounds reads or writes of host memory and potential privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed Linux kernel - stable 7.0.13 or 7.1 per EUVD, or rebuild with the upstream fix commits d9d021218162b6c4fe0bdf42b2b340f1aae23a12 and fb25c76a820ca8a547aa478bfb503da0a11494ab (https://git.kernel.org/stable/c/d9d021218162b6c4fe0bdf42b2b340f1aae23a12 and https://git.kernel.org/stable/c/fb25c76a820ca8a547aa478bfb503da0a11494ab); the fix adds a U64_MAX short-circuit at the start of dma_length(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all production systems with Arm Ethos-U NPU drivers enabled and immediately restrict NPU job submission permissions to only essential, trusted services and accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39261
GHSA-8pg6-rv6x-wjc2