In the Linux kernel, the following vulnerability has been resolved:
accel/ethosu: reject DMA commands with uninitialized length
cmdstateinit() initializes the command state with memset(0xff), leaving dma->len at U64MAX to signal missing setup. The only setter is NPUSETDMA0LEN; if userspace omits this command and issues NPUOPDMASTART, dma->len remains U64MAX.
In dmalength(), a positive stride added to U64MAX wraps to a small value. With size0 == 1, checkmuloverflow() does not trigger and dmalength() returns 0 instead of U64MAX. The caller's U64MAX check then passes, regionsize[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses.
Fix by checking for U64MAX at the start of dmalength() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53170.json",
"cna_assigner": "Linux"
}