{"id":"CVE-2026-53172","summary":"accel/ethosu: fix IFM region index out-of-bounds in command stream parser","details":"In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ethosu: fix IFM region index out-of-bounds in command stream parser\n\nNPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving\na maximum value of 127. However region_size[] and output_region[] in\nstruct ethosu_validated_cmdstream_info are both sized to\nNPU_BASEP_REGION_MAX (8), giving valid indices [0..7].\n\nEvery other region assignment in the same switch uses param & 0x7:\n  NPU_SET_OFM_REGION:  st.ofm.region  = param & 0x7;\n  NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7;\n  NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7;\n  NPU_SET_SCALE_REGION:  st.scale[0].region  = param & 0x7;\n\nThe 0x7f mask on IFM is inconsistent and appears to be a typo.\n\nfeat_matrix_length() and calc_sizes() use the region index directly\nas an array subscript into the kzalloc'd info struct:\n  info-\u003eregion_size[fm-\u003eregion] = max(...);\n\nA userspace caller supplying NPU_SET_IFM_REGION with param \u003e 7 causes\na write up to 127*8 = 1016 bytes past the start of region_size[],\ncorrupting adjacent kernel heap data.\n\nFix by applying the same & 0x7 mask used by all other region\nassignments.","modified":"2026-07-08T08:09:45.627669880Z","published":"2026-06-25T08:38:50.056Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53172.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/00f547e0dfecf83014fb32bcba587c6b684c1362"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee7bed779def61ebff1b92b0e851f412176fa416"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53172.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53172"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5a5e9c0228e613f0ef2a58b9782d7c0ea8f1e58b"},{"fixed":"ee7bed779def61ebff1b92b0e851f412176fa416"},{"fixed":"00f547e0dfecf83014fb32bcba587c6b684c1362"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53172.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53172.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}