CVE-2026-53172
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
In the Linux kernel driver for Ethos-U accelerator (accel/ethosu), a vulnerability was found in the command stream parser. The NPU_SET_IFM_REGION function uses a 0x7f mask instead of 0x7, allowing out-of-bounds indexing of the region_size[] array (size 8). A userspace attacker can craft a call to write past the allocated buffer, corrupting adjacent kernel heap data.
Risk Assessment
The vulnerability allows a local attacker with user privileges to perform an out-of-bounds write in the kernel, potentially leading to privilege escalation, data leakage, or system instability.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit changing the mask from 0x7f to 0x7). If an update is not possible, restrict access to the Ethos-U driver interface to trusted processes only.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix IFM region index out-of-bounds in command stream parser NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving a maximum value of 127. However region_size[] and output_region[] in struct ethosu_validated_cmdstream_info are both sized to NPU_BASEP_REGION_MAX (8), giving valid indices [0..7]. Every other region assignment in the same switch uses param & 0x7: NPU_SET_OFM_REGION: st.ofm.region = param & 0x7; NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7; NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7; NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7; The 0x7f mask on IFM is inconsistent and appears to be a typo. feat_matrix_length() and calc_sizes() use the region index directly as an array subscript into the kzalloc'd info struct: info->region_size[fm->region] = max(...); A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes a write up to 127*8 = 1016 bytes past the start of region_size[], corrupting adjacent kernel heap data. Fix by applying the same & 0x7 mask used by all other region assignments.

