Skip to main content

Linux Kernel CVE-2026-53171

| EUVDEUVD-2026-39262 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vp3v-wxjh-fcp5
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Local job submission needs device access so AV:L/PR:L; reliable arithmetic trigger gives AC:L; bounds bypass corrupts kernel memory beyond the buffer, justifying S:C and C/I/A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:19 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix arithmetic issues in dma_length()

dma_length() derives DMA region usage from command stream values and updates region_size[]:

len = ((len + stride[0]) * size0 + stride[1]) * size1 region_size[region] = max(..., len + dma->offset)

Several arithmetic issues can corrupt the derived region size:

  • signed stride values may underflow when added to len
  • intermediate multiplications may overflow
  • len + dma->offset may overflow during region_size updates
  • dma_length() error returns were not validated by the caller

region_size[] is later used by ethosu_job.c to validate command stream accesses against GEM buffer sizes. Arithmetic wraparound can therefore under-report region usage and bypass the bounds validation.

Fix by validating signed additions, using overflow helpers for multiplications and offset updates, and propagating dma_length() failures to the caller.

AnalysisAI

Local privilege escalation and kernel memory corruption in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) arises from unchecked arithmetic in dma_length(), allowing a local user with access to the accelerator device to submit a crafted command stream that wraps around integer math and under-reports DMA region sizes. Because region_size[] is later used by ethosu_job.c to validate command-stream accesses against GEM buffer sizes, the wraparound bypasses bounds checking and permits out-of-bounds DMA access (CVSS 3.1 8.8). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to Ethos-U device node
Delivery
Submit crafted command stream
Exploit
Trigger integer overflow/underflow in dma_length()
Execution
Under-report DMA region_size[]
Persist
Bypass GEM buffer bounds check
Impact
Out-of-bounds DMA corrupts kernel memory

Vulnerability AssessmentAI

Exploitation Requires local access to a system that has the Arm Ethos-U accelerator (accel/ethosu) driver loaded and the corresponding NPU device node accessible, plus the ability to submit a command stream to that device (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real but access-gated local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or a compromised low-privileged service/container with access to the Ethos-U accelerator device) crafts a command stream containing stride and size values chosen so that dma_length()'s arithmetic overflows or underflows, causing region_size[] to be smaller than the memory the operation actually touches. When the job runs, ethosu_job.c's bounds check passes against the under-reported size, allowing DMA reads/writes beyond the GEM buffer into adjacent kernel-managed memory, leading to corruption or escalation. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the kernel stable commits 6bb73845d1855ceaf50e397175e5979a7bdf69bc and ee6d9b6e51626f259c6f0e38d94f91be4fd14754 (https://git.kernel.org/stable/c/6bb73845d1855ceaf50e397175e5979a7bdf69bc and https://git.kernel.org/stable/c/ee6d9b6e51626f259c6f0e38d94f91be4fd14754), or update to a stable kernel that includes them (EUVD maps fixes to versions reported as 7.0.13 and 7.1; verify against your distribution's changelog before relying on those numbers). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems using Arm Ethos-U NPU accelerators and categorize by business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy