CVE-2026-53172 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
accel/ethosu: fix IFM region index out-of-bounds in command stream parser
NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving a maximum value of 127. However region_size[] and output_region[] in
struct ethosu_validated_cmdstream_info are both sized to NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].
Every other region assignment in the same switch uses param & 0x7: NPU_SET_OFM_REGION: st.ofm.region = param & 0x7; NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7; NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;
NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7;
The 0x7f mask on IFM is inconsistent and appears to be a typo.
feat_matrix_length() and calc_sizes() use the region index directly as an array subscript into the kzalloc'd info struct: info->region_size[fm->region] = max(...);
A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes a write up to 127*8 = 1016 bytes past the start of region_size[],
corrupting adjacent kernel heap data.
Fix by applying the same & 0x7 mask used by all other region assignments.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability resides within the linux kernel's ethosu driver which manages neural processing units for machine learning workloads. This particular flaw manifests in the command stream parser where inconsistent bit masking operations create a potential for heap corruption through out-of-bounds memory access. The issue specifically affects the IFM region index handling during command parsing, creating a discrepancy between expected and actual maximum values that can lead to dangerous memory corruption.
The technical flaw stems from an inconsistent bitwise operation used in the NPU_SET_IFM_REGION command handler where param & 0x7f is applied instead of the consistent param & 0x7 pattern used by all other region assignments within the same switch statement. This creates a maximum index value of 127 rather than the expected maximum of 7, which directly contradicts the array sizing of region_size[] and output_region[] fields in the ethosu_validated_cmdstream_info structure that are both sized to NPU_BASEP_REGION_MAX (8) elements with valid indices ranging from 0 to 7. The CWE-129 weakness class applies here as this represents an improper input validation leading to out-of-bounds access.
The operational impact of this vulnerability is significant as it allows a malicious userspace process to corrupt kernel heap memory through a carefully crafted command stream. When a userspace caller supplies a parameter greater than 7 to NPU_SET_IFM_REGION, the code proceeds to write data beyond the allocated bounds of the region_size array, potentially overwriting up to 1016 bytes of adjacent kernel heap data. This type of memory corruption can lead to arbitrary code execution, system crashes, or privilege escalation depending on the specific memory locations overwritten and the attacker's ability to control the corrupted data.
The fix implements consistent bit masking across all region assignments by applying the same param & 0x7 mask used in other commands such as NPU_SET_OFM_REGION, NPU_SET_IFM2_REGION, NPU_SET_WEIGHT_REGION, and NPU_SET_SCALE_REGION. This ensures that all region indices are constrained to the valid range of 0-7 matching the actual array dimensions and preventing any out-of-bounds memory access. The ATT&CK technique T1059.008 for kernel-level code execution and T1068 for privilege escalation could be leveraged by attackers exploiting this vulnerability in a full attack chain.
This vulnerability demonstrates the critical importance of consistent implementation patterns in kernel drivers where seemingly minor inconsistencies can create significant security risks. The fix aligns with secure coding practices that emphasize defensive programming and consistent validation across all code paths. The issue affects systems using the ethosu driver for neural processing unit management, particularly those running linux kernels with the affected driver components. Regular kernel updates and proper access controls remain essential mitigations while awaiting patch deployment.