CVE-2026-53170

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX. In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses. Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.
Configurations

No configuration.

History

28 Jun 2026, 08:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8

25 Jun 2026, 09:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 09:16

Updated : 2026-06-30 14:44


NVD link : CVE-2026-53170

Mitre link : CVE-2026-53170

CVE.ORG link : CVE-2026-53170


JSON object : View

Products Affected

No product.

CWE

No CWE.