accel/ethosu: reject DMA commands with uninitialized length_CVE-2026-53170

8.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: reject DMA commands with uninitialized length

cmd_state_init() initializes the command state with memset(0xff),
leaving dma->len at U64_MAX to signal missing setup. The only setter
is NPU_SET_DMA0_LEN; if userspace omits this command and issues
NPU_OP_DMA_START, dma->len remains U64_MAX.

In dma_length(), a positive stride added to U64_MAX wraps to a small
value. With size0 == 1, check_mul_overflow() does not trigger and
dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check
then passes, region_size[] stays 0, and the bounds check in
ethosu_job.c is bypassed, allowing hardware to execute DMA with stale
physical addresses.

Fix by checking for U64_MAX at the start of dma_length() before any
arithmetic, consistent with the sentinel value used throughout the
driver to detect uninitialized fields.

AI Analysis

DMA commands with uninitialized length can be executed, allowing hardware to access stale physical addresses

Basic Information

ID CVE-2026-53170

Source Linux

Published Jun 25, 2026 at 08:38

Modified Jun 28, 2026 at 06:39

Affected Product

Vendor Linux

Product Linux

Version 5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b

Affected Versions Linux Linux 5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b
Linux Linux 5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b
Linux Linux 6.19

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor The Linux Foundation

Product Linux Kernel

Version 6.19

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ethosu: reject DMA commands with uninitialized length\n\ncmd_state_init() initializes the command state with memset(0xff),\nleaving dma->len at U64_MAX to signal missing setup. The only setter\nis NPU_SET_DMA0_LEN; if userspace omits this command and issues\nNPU_OP_DMA_START, dma->len remains U64_MAX.\n\nIn dma_length(), a positive stride added to U64_MAX wraps to a small\nvalue. With size0 == 1, check_mul_overflow() does not trigger and\ndma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check\nthen passes, region_size[] stays 0, and the bounds check in\nethosu_job.c is bypassed, allowing hardware to execute DMA with stale\nphysical addresses.\n\nFix by checking for U64_MAX at the start of dma_length() before any\narithmetic, consistent with the sentinel value used throughout the\ndriver to detect uninitialized fields.",
    "published": "2026-06-25T08:38:48.728Z",
    "modified": "2026-06-28T06:39:41.997Z",
    "type": "cve",
    "title": "accel/ethosu: reject DMA commands with uninitialized length",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/fb25c76a820ca8a547aa478bfb503da0a11494ab\nhttps://git.kernel.org/stable/c/d9d021218162b6c4fe0bdf42b2b340f1aae23a12",
    "id": "CVE-2026-53170",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b\nLinux Linux 5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b\nLinux Linux 6.19",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b",
    "vendor": "Linux",
    "ai_description": "DMA commands with uninitialized length can be executed, allowing hardware to access stale physical addresses",
    "ai_severity": "High",
    "ai_vendor": "The Linux Foundation",
    "ai_product": "Linux Kernel",
    "ai_version": "6.19",
    "ai_score": 8.8
}