CVE-2026-53171

HIGH

accel/ethosu: fix arithmetic issues in dma_length()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dma_length() dma_length() derives DMA region usage from command stream values and updates region_size[]: len = ((len + stride[0]) * size0 + stride[1]) * size1 region_size[region] = max(..., len + dma->offset) Several arithmetic issues can corrupt the derived region size: - signed stride values may underflow when added to len - intermediate multiplications may overflow - len + dma->offset may overflow during region_size updates - dma_length() error returns were not validated by the caller region_size[] is later used by ethosu_job.c to validate command stream accesses against GEM buffer sizes. Arithmetic wraparound can therefore under-report region usage and bypass the bounds validation. Fix by validating signed additions, using overflow helpers for multiplications and offset updates, and propagating dma_length() failures to the caller.

Scores

CVSS v3 8.8
EPSS 0.0014
EPSS Percentile 3.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

Status published
Products (9)
linux/Kernel 6.19.0 - 7.0.13linux
Linux/Linux < 6.19
Linux/Linux 5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b - 6bb73845d1855ceaf50e397175e5979a7bdf69bc
Linux/Linux 5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b - ee6d9b6e51626f259c6f0e38d94f91be4fd14754
Linux/Linux 6.19
Linux/Linux 7.0.13 - 7.0.*
Linux/Linux 7.1
linux/linux_kernel 7.1 rc1 (6 CPE variants)
linux/linux_kernel 6.19 - 7.0.13
Published Jun 25, 2026
Tracked Since Jun 25, 2026