Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local access to the ivpu device gives AV:L/PR:L, but triggering needs attacker-controlled firmware-supplied oversize data, justifying AC:H; a successful overflow yields full kernel CIA impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Fix signed integer truncation in IPC receive
Fix potential buffer overflow where firmware-supplied data_size is cast to signed int before being used in min_t(). Large unsigned values (>= 0x80000000) become negative, causing unsigned wraparound and oversized memcpy operations that can overflow the stack buffer.
Change min_t(int, ...) to min() as both values are unsigned and can be handled by min() without explicit cast.
AnalysisAI
Local memory corruption in the Linux kernel's Intel VPU accelerator driver (accel/ivpu) lets attacker-influenced firmware data overflow a stack buffer during IPC message receive. The defect is a signed-int truncation of the firmware-supplied data_size in min_t(int, ...), so values >= 0x80000000 turn negative, bypass the size clamp, and drive an oversized memcpy. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) target hardware with an Intel VPU/NPU and the accel/ivpu driver loaded and active; (2) local low-privilege access to interact with the driver's IPC path (CVSS PR:L, AV:L, UI:N); and (3) the ability to cause the VPU firmware to return a data_size value >= 0x80000000 on the IPC receive path, which triggers the signed truncation and oversized memcpy. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent toward 'real but constrained.' The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 7.8 HIGH) indicates a local low-privilege attacker with full CIA impact - kernel-level memory corruption, not remote compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a system with an Intel VPU/NPU and the ivpu driver loaded, an attacker who can influence the firmware's IPC response (via compromised or malicious firmware, or a privileged path controlling device messaging) makes the firmware report a data_size with the high bit set. The signed-truncation bug bypasses the size clamp and performs an oversized memcpy into a stack buffer, corrupting kernel memory and enabling denial of service or potential kernel code execution. … |
| Remediation | Apply the vendor patch by upgrading to a fixed kernel: 7.1, 7.0.13, 6.18.36, or 6.12.94 (or later) per the stable trees; the relevant commits are 2821bf2b79e47f87e1dbdd9d25c78240965a97d6, 45cb105b8642c65e9be286f7058e92314efe7ea3, 4788556d4dd9d717037e385de178974e9649231d, and d9faef564438d1e4579c692c046603e7ada7bdf4 (https://git.kernel.org/stable/c/d9faef564438d1e4579c692c046603e7ada7bdf4). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Linux systems with Intel VPU accelerators and identify kernel versions prior to the patched release. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39293
GHSA-jpvf-6235-4rh8