Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local job submission needs device access so AV:L/PR:L; reliable arithmetic trigger gives AC:L; bounds bypass corrupts kernel memory beyond the buffer, justifying S:C and C/I/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
accel/ethosu: fix arithmetic issues in dma_length()
dma_length() derives DMA region usage from command stream values and updates region_size[]:
len = ((len + stride[0]) * size0 + stride[1]) * size1 region_size[region] = max(..., len + dma->offset)
Several arithmetic issues can corrupt the derived region size:
- signed stride values may underflow when added to len
- intermediate multiplications may overflow
- len + dma->offset may overflow during region_size updates
- dma_length() error returns were not validated by the caller
region_size[] is later used by ethosu_job.c to validate command stream accesses against GEM buffer sizes. Arithmetic wraparound can therefore under-report region usage and bypass the bounds validation.
Fix by validating signed additions, using overflow helpers for multiplications and offset updates, and propagating dma_length() failures to the caller.
AnalysisAI
Local privilege escalation and kernel memory corruption in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) arises from unchecked arithmetic in dma_length(), allowing a local user with access to the accelerator device to submit a crafted command stream that wraps around integer math and under-reports DMA region sizes. Because region_size[] is later used by ethosu_job.c to validate command-stream accesses against GEM buffer sizes, the wraparound bypasses bounds checking and permits out-of-bounds DMA access (CVSS 3.1 8.8). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to a system that has the Arm Ethos-U accelerator (accel/ethosu) driver loaded and the corresponding NPU device node accessible, plus the ability to submit a command stream to that device (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a real but access-gated local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user (or a compromised low-privileged service/container with access to the Ethos-U accelerator device) crafts a command stream containing stride and size values chosen so that dma_length()'s arithmetic overflows or underflows, causing region_size[] to be smaller than the memory the operation actually touches. When the job runs, ethosu_job.c's bounds check passes against the under-reported size, allowing DMA reads/writes beyond the GEM buffer into adjacent kernel-managed memory, leading to corruption or escalation. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the kernel stable commits 6bb73845d1855ceaf50e397175e5979a7bdf69bc and ee6d9b6e51626f259c6f0e38d94f91be4fd14754 (https://git.kernel.org/stable/c/6bb73845d1855ceaf50e397175e5979a7bdf69bc and https://git.kernel.org/stable/c/ee6d9b6e51626f259c6f0e38d94f91be4fd14754), or update to a stable kernel that includes them (EUVD maps fixes to versions reported as 7.0.13 and 7.1; verify against your distribution's changelog before relying on those numbers). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems using Arm Ethos-U NPU accelerators and categorize by business criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39262
GHSA-vp3v-wxjh-fcp5