CVE-2026-53169
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
In the Linux kernel's accel/ethosu driver, the NPU_OP_RESIZE command, which is U85-only, is not yet implemented. When userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, it triggers a WARN_ON(1), causing unbounded kernel log spam. If panic_on_warn is set, the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive.
Risk Assessment
The organization faces the risk of disk space exhaustion due to log spam and potential kernel panic, which can lead to system downtime. The attack can be performed by a local unprivileged user, posing a significant threat to production environment stability.
Recommendation
Immediately update the Linux kernel to a version containing the fix that replaces WARN_ON(1) with an -EINVAL return. If an update is not possible, restrict access to the DRM device for unprivileged users.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject NPU_OP_RESIZE commands from userspace NPU_OP_RESIZE is a U85-only command that the driver does not yet implement. The existing WARN_ON(1) placeholder fires unconditionally whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, causing unbounded kernel log spam. If panic_on_warn is set the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive. Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl rejects the command before it reaches hardware.

