In the Linux kernel, the following vulnerability has been resolved:
accel/ethosu: fix IFM region index out-of-bounds in command stream parser
NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving
a maximum value of 127. However region_size[] and output_region[] in
struct ethosu_validated_cmdstream_info are both sized to
NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].
Every other region assignment in the same switch uses param & 0x7:
NPU_SET_OFM_REGION: st.ofm.region = param & 0x7;
NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7;
NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;
NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7;
The 0x7f mask on IFM is inconsistent and appears to be a typo.
feat_matrix_length() and calc_sizes() use the region index directly
as an array subscript into the kzalloc'd info struct:
info->region_size[fm->region] = max(...);
A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes
a write up to 127*8 = 1016 bytes past the start of region_size[],
corrupting adjacent kernel heap data.
Fix by applying the same & 0x7 mask used by all other region
assignments.
References
Configurations
Configuration 1 (hide)
|
History
06 Jul 2026, 18:23
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Linux linux Kernel
Linux |
|
| CWE | CWE-125 | |
| CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:* |
|
| References | () https://git.kernel.org/stable/c/00f547e0dfecf83014fb32bcba587c6b684c1362 - Patch | |
| References | () https://git.kernel.org/stable/c/ee7bed779def61ebff1b92b0e851f412176fa416 - Patch |
28 Jun 2026, 08:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
25 Jun 2026, 09:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-25 09:16
Updated : 2026-07-06 18:23
NVD link : CVE-2026-53172
Mitre link : CVE-2026-53172
CVE.ORG link : CVE-2026-53172
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-125
Out-of-bounds Read
