Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local access (AV:L) with low privileges (PR:L); AC:H because the attacker must influence firmware-supplied indices; out-of-bounds read gives C:H and crash A:H, no integrity impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Add bounds checks for firmware log indices
Add validation that read and write indices in the firmware log buffer are within valid bounds (< data_size) before using them. If out-of-bounds indices are encountered (from firmware), clamp them to safe values instead of proceeding with invalid offsets.
This prevents potential out-of-bounds buffer access when firmware supplies invalid log indices.
AnalysisAI
Out-of-bounds memory access in the Linux kernel's accel/ivpu driver (Intel NPU/VPU accelerator) occurs because firmware-supplied read and write indices for the firmware log buffer were used without bounds validation, allowing invalid offsets to drive out-of-bounds buffer reads. Affecting Intel Core Ultra-class systems running affected 6.12.x through 6.18.x and 7.x kernels, a local low-privileged actor able to influence the device's firmware log indices can disclose kernel memory or crash the host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a system that has the accel/ivpu (Intel VPU/NPU) driver loaded - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly aligned toward a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged user on an Intel Core Ultra laptop or workstation interacts with the ivpu accelerator device while the firmware log buffer presents out-of-bounds read/write indices, causing the unpatched driver to read kernel memory outside the log region, leaking sensitive kernel data or panicking the system. Because the malicious values come from the NPU firmware path, a more potent variant chains a firmware-level compromise to reliably supply attacker-chosen indices. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.12.94 or later in the 6.12 series, 6.18.36 or later, or 7.0.13 or later (the fix is also present in 7.1), corresponding to upstream commits 535da9ad8420, 5961c7034140, 8ec70c0dbdf0, and dd1311bcf0e6 available at git.kernel.org/stable. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Intel Core Ultra with Linux kernel versions 6.12.x through 7.x; document system count and exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39296
GHSA-gm9p-3w2c-c6qg