Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local device ioctl with low-privileged access (AV:L/PR:L), deterministic attacker-controlled OOB write giving low complexity (AC:L) and full kernel C/I/A impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
The command stream parsing loop increments the index variable a second time when a 64-bit command word is encountered (bit 14 set), but does not re-check the loop bound before writing the second word:
for (i = 0; i < size / 4; i++) { bocmds[i] = cmds[0]; if (cmd & 0x4000) { i++; bocmds[i] = cmds[1]; /* unchecked */ } }
The buffer bocmds is backed by a DMA allocation of exactly size bytes from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1].
When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is set, bocmds[size/4-1] is written in bounds, i is then incremented to size/4, and bocmds[size/4] writes four bytes past the end of the allocation.
Userspace controls both the buffer contents and the size argument via the ioctl, making this a userspace-triggerable heap out-of-bounds write.
Fix by checking the incremented index against the buffer bound before the second write and returning -EINVAL if the buffer is too small to contain the extended command.
AnalysisAI
Heap out-of-bounds write in the Linux kernel's accel/ethosu DRM driver (Arm Ethos-U NPU accelerator) allows a local user with access to the device to corrupt kernel heap memory through the command-stream copy-and-validate ioctl. The flaw stems from the parser advancing its index for 64-bit (bit-14-set) command words without re-checking the buffer bound, letting a crafted command stream write four bytes past a DMA allocation of attacker-controlled size. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a system whose kernel was built with the accel/ethosu driver and that exposes the Arm Ethos-U NPU accel device node, plus the ability to call the command-stream copy-and-validate ioctl (consistent with PR:L - a low-privileged local user that can open the device). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuine-but-locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker who already has code execution on the host - for example inside a container or a constrained application sandbox that can open the Ethos-U accel device - crafts a command stream whose final in-bounds command sets bit 14 (0x4000) and submits it with a precisely chosen size so the extension word lands one 32-bit word past the DMA allocation. The resulting controlled four-byte heap overwrite can be shaped into kernel memory corruption and escalation to root. … |
| Remediation | Apply the upstream kernel fix that revalidates the incremented index against the buffer bound and returns -EINVAL when the buffer is too small for the extended 64-bit command. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems with Arm Ethos-U NPU hardware and the accel/ethosu DRM driver; document kernel versions in production. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39264
GHSA-8652-hhjr-7fh7