CVE-2026-53170 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
accel/ethosu: reject DMA commands with uninitialized length
cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missing setup. The only setter is NPU_SET_DMA0_LEN; if userspace omits this command and issues NPU_OP_DMA_START, dma->len remains U64_MAX.
In dma_length(), a positive stride added to U64_MAX wraps to a small value. With size0 == 1, check_mul_overflow() does not trigger and dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check then passes, region_size[] stays 0, and the bounds check in
ethosu_job.c is bypassed, allowing hardware to execute DMA with stale physical addresses.
Fix by checking for U64_MAX at the start of dma_length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability identified in the linux kernel's ethosu acceleration driver represents a critical initialization flaw that enables unauthorized memory access through malformed DMA commands. This issue resides within the hardware accelerator subsystem responsible for processing neural network operations on embedded systems. The root cause stems from improper state management during command initialization where the cmd_state_init() function employs memset(0xff) to initialize command structures, deliberately leaving the dma->len field set to U64_MAX as a sentinel value indicating uninitialized status. This design pattern follows established conventions for detecting incomplete command setup but introduces a dangerous race condition when userspace applications omit the mandatory NPU_SET_DMA0_LEN command sequence.
The technical flaw manifests through a specific arithmetic overflow scenario that occurs during DMA length calculation within the dma_length() function. When the NPU_OP_DMA_START command is issued without prior NPU_SET_DMA0_LEN configuration, the dma->len field retains its U64_MAX initialization value. During processing, a positive stride value is added to this maximum unsigned 64-bit integer, causing an arithmetic wraparound that results in a small numerical value. The check_mul_overflow() function fails to detect this condition because size0 equals 1, allowing the function to return 0 instead of preserving the expected U64_MAX sentinel value. This mathematical anomaly creates a cascading effect where subsequent validation logic becomes compromised.
The operational impact of this vulnerability extends beyond simple memory corruption into potential privilege escalation and system instability. The bypassed bounds check in ethosu_job.c allows hardware execution with stale physical addresses that could point to arbitrary memory locations, potentially enabling attackers to manipulate data flows or access protected system resources. This flaw directly relates to CWE-129, which addresses insufficient bound checking, and CWE-682, covering incorrect arithmetic operations that result in unexpected behavior. The vulnerability exists within the ATT&CK framework under T1059.003 for command and scripting interpreter execution, as it enables malicious code to manipulate hardware command sequences.
The fix implemented addresses this issue by introducing an early validation check at the beginning of dma_length() function to specifically test for U64_MAX values before any arithmetic operations occur. This approach maintains consistency with the existing sentinel value pattern throughout the driver codebase and prevents the wraparound condition that leads to the security bypass. The solution aligns with established security practices for preventing integer overflow conditions and ensures proper state validation before hardware execution. This mitigation strategy effectively closes the vulnerability window while maintaining backward compatibility with legitimate command sequences, though it requires careful consideration of existing userspace applications that might rely on specific initialization behaviors.