Skip to main content

Linux Kernel EUVDEUVD-2026-39264

| CVE-2026-53173 HIGH
Out-of-bounds Write (CWE-787)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8652-hhjr-7fh7
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local device ioctl with low-privileged access (AV:L/PR:L), deterministic attacker-controlled OOB write giving low complexity (AC:L) and full kernel C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 28, 2026 - 09:20 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()

The command stream parsing loop increments the index variable a second time when a 64-bit command word is encountered (bit 14 set), but does not re-check the loop bound before writing the second word:

for (i = 0; i < size / 4; i++) { bocmds[i] = cmds[0]; if (cmd & 0x4000) { i++; bocmds[i] = cmds[1]; /* unchecked */ } }

The buffer bocmds is backed by a DMA allocation of exactly size bytes from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1].

When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is set, bocmds[size/4-1] is written in bounds, i is then incremented to size/4, and bocmds[size/4] writes four bytes past the end of the allocation.

Userspace controls both the buffer contents and the size argument via the ioctl, making this a userspace-triggerable heap out-of-bounds write.

Fix by checking the incremented index against the buffer bound before the second write and returning -EINVAL if the buffer is too small to contain the extended command.

AnalysisAI

Heap out-of-bounds write in the Linux kernel's accel/ethosu DRM driver (Arm Ethos-U NPU accelerator) allows a local user with access to the device to corrupt kernel heap memory through the command-stream copy-and-validate ioctl. The flaw stems from the parser advancing its index for 64-bit (bit-14-set) command words without re-checking the buffer bound, letting a crafted command stream write four bytes past a DMA allocation of attacker-controlled size. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to Ethos-U device
Delivery
Craft command stream with bit-14 set
Exploit
Submit oversized cmdstream via ioctl
Execution
Write four bytes past DMA buffer
Persist
Corrupt adjacent kernel heap
Impact
Escalate privileges to root

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a system whose kernel was built with the accel/ethosu driver and that exposes the Arm Ethos-U NPU accel device node, plus the ability to call the command-stream copy-and-validate ioctl (consistent with PR:L - a low-privileged local user that can open the device). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine-but-locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker who already has code execution on the host - for example inside a container or a constrained application sandbox that can open the Ethos-U accel device - crafts a command stream whose final in-bounds command sets bit 14 (0x4000) and submits it with a precisely chosen size so the extension word lands one 32-bit word past the DMA allocation. The resulting controlled four-byte heap overwrite can be shaped into kernel memory corruption and escalation to root. …
Remediation Apply the upstream kernel fix that revalidates the incremented index against the buffer bound and returns -EINVAL when the buffer is too small for the extended 64-bit command. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems with Arm Ethos-U NPU hardware and the accel/ethosu DRM driver; document kernel versions in production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy