Skip to main content

Linux Kernel CVE-2026-53203

| EUVDEUVD-2026-39294 HIGH
Classic Buffer Overflow (CWE-120)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3p7h-6f7m-pv53
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Local ioctl by a low-privileged user with device access (AV:L/PR:L/AC:L); out-of-bounds kernel copy yields memory disclosure and crash (C:H/A:H) but no integrity write to attacker-controlled data (I:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:32 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/ivpu: Add buffer overflow check in MS get_info_ioctl

Add validation that the info size returned from the metric stream info query is not exceeded when checked against the allocated buffer size. If the firmware returns a size larger than the buffer, reject the operation with -EOVERFLOW instead of proceeding with an incorrect buffer copy.

AnalysisAI

Local privilege-context memory corruption in the Linux kernel's accel/ivpu (Intel NPU/VPU accelerator) driver allows a low-privileged user with access to the device to trigger a buffer overflow through the metric stream MS get_info ioctl. When the NPU firmware reports an info size larger than the allocated kernel buffer, the driver performs an oversized copy, corrupting kernel memory and potentially leaking sensitive data or crashing the system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to host with Intel NPU
Delivery
Open /dev/accel ivpu device node
Exploit
Issue MS get_info ioctl
Execution
Firmware returns oversized info size
Persist
Driver copies past buffer bound
Impact
Kernel memory disclosure or crash

Vulnerability AssessmentAI

Exploitation Requires local access and the ability to open the Intel NPU/VPU accelerator device exposed by the ivpu driver (the DRM accel /dev/accel node), with PR:L meaning the attacker must already hold low-level local privileges sufficient to issue ioctls on that device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a real but bounded local-only risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user (or a compromised local process) with access to the Intel NPU device node opens /dev/accel and issues the metric stream get_info ioctl, inducing the driver to copy a firmware-reported size that exceeds the allocated buffer. The resulting out-of-bounds kernel copy can disclose adjacent kernel memory or crash the system (denial of service). …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.12.94 or later in the 6.12.y line, 6.18.36 or later in the 6.18.y line, or 7.0.13 or later in the 7.0.y line (corresponding upstream fix commits 4e5047cc94bea1cc7b670b7f503358e9af0542df, d3c12ed33e8923f3090909a1738f3e59292996a6, fa598556ecef412edcb391f144b7642e18fdfd45, fb176425837693f50c5c9fc8db6fbb04af22bd0a on git.kernel.org). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory systems with Intel NPU/VPU accelerators via 'lspci -k | grep -i intel' and 'lsmod | grep ivpu'; document current kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy