<Vulnerability name="CVE-2026-53172">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <PublicDate>2026-06-25T00:00:00</PublicDate>
    <Bugzilla id="2492781" url="https://bugzilla.redhat.com/show_bug.cgi?id=2492781" xml:lang="en:us">
kernel: accel/ethosu: fix IFM region index out-of-bounds in command stream parser
    </Bugzilla>
    <CWE>CWE-1285</CWE>
    <Details xml:lang="en:us" source="Mitre">
In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: fix IFM region index out-of-bounds in command stream parser

NPU_SET_IFM_REGION extracts the region index with param &amp; 0x7f, giving
a maximum value of 127. However region_size[] and output_region[] in
struct ethosu_validated_cmdstream_info are both sized to
NPU_BASEP_REGION_MAX (8), giving valid indices [0..7].

Every other region assignment in the same switch uses param &amp; 0x7:
  NPU_SET_OFM_REGION:  st.ofm.region  = param &amp; 0x7;
  NPU_SET_IFM2_REGION: st.ifm2.region = param &amp; 0x7;
  NPU_SET_WEIGHT_REGION: st.weight[0].region = param &amp; 0x7;
  NPU_SET_SCALE_REGION:  st.scale[0].region  = param &amp; 0x7;

The 0x7f mask on IFM is inconsistent and appears to be a typo.

feat_matrix_length() and calc_sizes() use the region index directly
as an array subscript into the kzalloc'd info struct:
  info-&gt;region_size[fm-&gt;region] = max(...);

A userspace caller supplying NPU_SET_IFM_REGION with param &gt; 7 causes
a write up to 127*8 = 1016 bytes past the start of region_size[],
corrupting adjacent kernel heap data.

Fix by applying the same &amp; 0x7 mask used by all other region
assignments.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the Linux kernel's accel/ethosu component. An incorrect mask used when processing the NPU_SET_IFM_REGION command allows a local userspace caller to provide an out-of-bounds region index. This can lead to an out-of-bounds write, corrupting adjacent kernel heap data.
    </Details>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kernel-rt</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kernel-rt</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kernel</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>kernel-rt</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-53172
https://nvd.nist.gov/vuln/detail/CVE-2026-53172
https://lore.kernel.org/linux-cve-announce/2026062552-CVE-2026-53172-11a3@gregkh/T
    </References>
</Vulnerability>