CVE Catalog

CVE-2026-53170

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile - higher than 4% of all known CVEs

Summary

In the Linux kernel, the accel/ethosu driver has a vulnerability due to uninitialized DMA length. If userspace omits setting the DMA length before starting a transfer, the driver uses an uninitialized value (U64_MAX), leading to bypass of bounds checks and execution of DMA with stale physical addresses.

Risk Assessment

An attacker with local access can exploit this vulnerability to perform DMA operations on arbitrary memory addresses, potentially leading to privilege escalation or data leakage.

Recommendation

Immediately update the Linux kernel to a version containing the fix that adds a check for U64_MAX before arithmetic operations in the dma_length() function.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX. In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses. Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS