Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local ioctl by a low-privileged user with device access (AV:L/PR:L/AC:L); out-of-bounds kernel copy yields memory disclosure and crash (C:H/A:H) but no integrity write to attacker-controlled data (I:N).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Add buffer overflow check in MS get_info_ioctl
Add validation that the info size returned from the metric stream info query is not exceeded when checked against the allocated buffer size. If the firmware returns a size larger than the buffer, reject the operation with -EOVERFLOW instead of proceeding with an incorrect buffer copy.
AnalysisAI
Local privilege-context memory corruption in the Linux kernel's accel/ivpu (Intel NPU/VPU accelerator) driver allows a low-privileged user with access to the device to trigger a buffer overflow through the metric stream MS get_info ioctl. When the NPU firmware reports an info size larger than the allocated kernel buffer, the driver performs an oversized copy, corrupting kernel memory and potentially leaking sensitive data or crashing the system. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access and the ability to open the Intel NPU/VPU accelerator device exposed by the ivpu driver (the DRM accel /dev/accel node), with PR:L meaning the attacker must already hold low-level local privileges sufficient to issue ioctls on that device. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a real but bounded local-only risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged user (or a compromised local process) with access to the Intel NPU device node opens /dev/accel and issues the metric stream get_info ioctl, inducing the driver to copy a firmware-reported size that exceeds the allocated buffer. The resulting out-of-bounds kernel copy can disclose adjacent kernel memory or crash the system (denial of service). … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.12.94 or later in the 6.12.y line, 6.18.36 or later in the 6.18.y line, or 7.0.13 or later in the 7.0.y line (corresponding upstream fix commits 4e5047cc94bea1cc7b670b7f503358e9af0542df, d3c12ed33e8923f3090909a1738f3e59292996a6, fa598556ecef412edcb391f144b7642e18fdfd45, fb176425837693f50c5c9fc8db6fbb04af22bd0a on git.kernel.org). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory systems with Intel NPU/VPU accelerators via 'lspci -k | grep -i intel' and 'lsmod | grep ivpu'; document current kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39294
GHSA-3p7h-6f7m-pv53