PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53170 Linux CVE debrief

CVE-2026-53170 is a high-severity vulnerability in the Linux kernel, with a CVSS score of 8.8. The vulnerability is caused by the improper handling of DMA commands with uninitialized length in the accel/ethosu driver. An attacker with local access and low privileges can exploit this vulnerability to execute DMA with stale physical addresses, potentially leading to privilege escalation and denial of service. The vulnerability was introduced due to the incomplete initialization of the command state, leaving the dma->len field at U64_MAX. This allows an attacker to bypass the bounds check in ethosu_job.c and execute DMA with stale physical addresses. The vulnerability has been resolved by adding a check for U64_MAX at the start of dma_length() before any arithmetic.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-06-28
Advisory published
2026-06-25
Advisory updated
2026-06-28

Who should care

Linux kernel developers, Linux distribution maintainers, and users of Linux-based systems should be aware of this vulnerability. This vulnerability can be exploited by an attacker with local access and low privileges, making it a significant concern for systems that run Linux.

Technical summary

The accel/ethosu driver in the Linux kernel does not properly handle DMA commands with uninitialized length. The cmd_state_init() function initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. However, if userspace omits the NPU_SET_DMA0_LEN command and issues NPU_OP_DMA_START, dma->len remains U64_MAX. In dma_length(), a positive stride added to U64_MAX wraps to a small value, causing the function to return 0 instead of U64_MAX. This allows the caller's U64_MAX check to pass, and the bounds check in ethosu_job.c is bypassed, enabling hardware to execute DMA with stale physical addresses.

Defensive priority

High priority should be given to patching this vulnerability, as it can be exploited by an attacker with local access and low privileges. Linux kernel developers and Linux distribution maintainers should prioritize patching this vulnerability to prevent potential exploitation.

Recommended defensive actions

  • Apply the official patch to update the accel/ethosu driver
  • Verify that the Linux kernel is up-to-date with the latest security patches
  • Monitor system logs for potential exploitation attempts
  • Implement additional security controls, such as SELinux or AppArmor, to restrict access to sensitive resources
  • Perform regular vulnerability scans and risk assessments to identify potential vulnerabilities

Evidence notes

The CVE-2026-53170 vulnerability was introduced due to the incomplete initialization of the command state in the accel/ethosu driver. The vulnerability has been resolved by adding a check for U64_MAX at the start of dma_length() before any arithmetic. The CVSS score for this vulnerability is 8.8, indicating a high-severity vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.