CVE-2026-53170

Source
https://cve.org/CVERecord?id=CVE-2026-53170
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53170.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53170
Downstream
Published
2026-06-25T08:38:48.728Z
Modified
2026-07-08T08:09:45.458825842Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
accel/ethosu: reject DMA commands with uninitialized length
Details

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: reject DMA commands with uninitialized length

cmdstateinit() initializes the command state with memset(0xff), leaving dma->len at U64MAX to signal missing setup. The only setter is NPUSETDMA0LEN; if userspace omits this command and issues NPUOPDMASTART, dma->len remains U64MAX.

In dmalength(), a positive stride added to U64MAX wraps to a small value. With size0 == 1, checkmuloverflow() does not trigger and dmalength() returns 0 instead of U64MAX. The caller's U64MAX check then passes, regionsize[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses.

Fix by checking for U64MAX at the start of dmalength() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53170.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b
Fixed
fb25c76a820ca8a547aa478bfb503da0a11494ab
Fixed
d9d021218162b6c4fe0bdf42b2b340f1aae23a12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53170.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53170.json"