CVE-2026-53173 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
The command stream parsing loop increments the index variable a second time when a 64-bit command word is encountered (bit 14 set), but does not re-check the loop bound before writing the second word:
for (i = 0; i < size / 4; i++) {
bocmds[i] = cmds[0];
if (cmd & 0x4000) {
i++; bocmds[i] = cmds[1]; /* unchecked */
} }
The buffer bocmds is backed by a DMA allocation of exactly size bytes from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1].
When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is
set, bocmds[size/4-1] is written in bounds, i is then incremented to
size/4, and bocmds[size/4] writes four bytes past the end of the
allocation.
Userspace controls both the buffer contents and the size argument via the ioctl, making this a userspace-triggerable heap out-of-bounds write.
Fix by checking the incremented index against the buffer bound before the second write and returning -EINVAL if the buffer is too small to contain the extended command.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability resides in the linux kernel's ethosu graphics driver component where an out-of-bounds write condition occurs during command stream parsing operations. This issue manifests in the ethosu_gem_cmdstream_copy_and_validate() function which processes gpu command streams submitted by userspace applications. The flaw stems from improper bounds checking within a loop that handles 64-bit command words, creating a scenario where memory corruption can occur beyond the allocated buffer boundaries.
The technical implementation of this vulnerability demonstrates a classic off-by-one error pattern where the index variable is incremented twice within a single loop iteration when processing 64-bit commands. The command stream parsing logic initializes a loop to process command words in 4-byte increments, but when encountering commands with bit 14 set indicating a 64-bit word, the code performs an additional increment of the index variable before writing the second word. However, this second increment occurs without validating whether the resulting index remains within the allocated buffer bounds.
The buffer allocation mechanism uses drm_gem_dma_create() which allocates exactly size bytes for the bocmds buffer, creating valid indices ranging from 0 to size/4-1. When a command stream is processed with the final valid index position and bit 14 set on the command word, the first write operation succeeds within bounds but the subsequent increment places the index at size/4. The second write then attempts to access bocmds[size/4] which translates to four bytes beyond the allocated memory region, creating a heap overflow condition that can be triggered entirely from userspace.
This vulnerability represents a direct security risk classified under common weakness enumeration cwe-129 and aligns with attack technique tt0001 in the attack tactics and techniques framework. The issue creates an exploitable condition where malicious userspace processes can craft command streams to trigger memory corruption, potentially leading to privilege escalation or denial of service conditions. The heap overflow occurs because userspace controls both the buffer contents through ioctl calls and the size parameter that determines allocation boundaries.
The fix implemented addresses this by adding proper bounds checking after the index increment operation but before executing the second write operation. When the incremented index would exceed the valid buffer range, the function returns -einval error code indicating invalid input rather than allowing the out-of-bounds memory access to proceed. This defensive programming approach ensures that command stream validation fails gracefully when encountering malformed or oversized command sequences, preventing the heap corruption from occurring while maintaining proper kernel stability and security boundaries.
The operational impact of this vulnerability extends beyond simple memory corruption as it creates potential attack vectors for privilege escalation attacks where malicious userspace processes could leverage the out-of-bounds write to modify kernel memory structures. The issue affects systems using the ethosu graphics driver and requires careful monitoring of command stream inputs to prevent exploitation. Organizations should prioritize patching this vulnerability through kernel updates while implementing proper input validation measures at the application level to prevent malformed command sequences from reaching the graphics driver components.