CVE-2026-53173

CVE-2026-53173 describes a Linux kernel vulnerability in accel/ethosu where an OOB write can occur in ethosu_gem_cmdstream_copy_and_validate(). The root cause is a loop that increments the index a second time when a 64-bit command word is encountered (bit 14 set) but does not re-check the bound b...

CVE-2026-53172

The CVE-2026-53172 issue affects the Linux kernel’s accel/ethosu path where NPU_SET_IFM_REGION incorrectly used param & 0x7f, allowing an index up to 127 for region_size[]/output_region[] (sized to 8). This caused out-of-bounds writes (up to 1016 bytes) past region_size[] and potential kernel hea...

EUVD-2026-39263

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix IFM region index out-of-bounds in command stream parser NPUSETIFMREGION extracts the region index with param & 0x7f, giving a maximum value of 127. However regionsize and outputregion in struct...

EUVD-2026-39264

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix OOB write in ethosugemcmdstreamcopyandvalidate The command stream parsing loop increments the index variable a second time when a 64-bit command word is encountered bit 14 set, but does not re-check the loop bou...

CVE-2026-53171

The CVE-2026-53171 entry concerns the Linux kernel’s accel/ethosu component. The issue arises in dma_length(), which derives DMA region usage from the command stream and updates region_size[]. The calculation len = ((len + stride[0]) * size0 + stride[1]) * size1 can suffer from signed underflow, ...

EUVD-2026-39262

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dmalength dmalength derives DMA region usage from command stream values and updates regionsize: len = len + stride0 size0 + stride1 size1 regionsizeregion = max..., len + dma-offset Several...

CVE-2026-53170

CVE-2026-53170 – Linux kernel (accel/ethosu) : Concrete details show a vulnerability where DMA commands could run with uninitialized length. The issue stems from cmd_state_init() initializing dma->len to U64_MAX and the only setter being NPU_SET_DMA0_LEN; if userspace omits this, dma_start lea...

CVE-2026-53169

The CVE affects the Linux kernel driver path accel/ethosu and specifically rejects NPU_OP_RESIZE commands from userspace. The root cause is a placeholder WARN_ON(1) that fires for DRM_IOCTL_ETHOSU_GEM_CREATE, allowing unbounded kernel log spam and, if panic_on_warn is set, a potential denial-of-s...

EUVD-2026-39260

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject NPUOPRESIZE commands from userspace NPUOPRESIZE is a U85-only command that the driver does not yet implement. The existing WARNON1 placeholder fires unconditionally whenever userspace submits this command via...

EUVD-2026-39261

In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmdstateinit initializes the command state with memset0xff, leaving dma-len at U64MAX to signal missing setup. The only setter is NPUSETDMA0LEN; if userspace omits this...