CVE-2025-68731
Description
In the Linux kernel, the following vulnerability has been resolved:
accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array()
The unpublished smatch static checker reported a warning.
drivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array() warn: potential user controlled sizeof overflow 'args->num_element * args->element_size' '1-u32max(user) * 1-u32max(user)'
Even this will not cause a real issue, it is better to put a reasonable limitation for element_size and num_element. Add condition to make sure the input element_size <= 4K and num_element <= 1K.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in Linux AMD XDNA AI engine driver could let users corrupt kernel memory via crafted IOCTL sizes; patched.
Root
Cause An integer overflow vulnerability was found in the Linux kernel's AMD XDNA AI engine accelerator driver (accel/amdxdna). The function aie2_query_ctx_status_array() in aie2_pci.c did not properly validate user-supplied sizes for an IOCTL that queries context status. Specifically, the multiplication args->num_element * args->element_size could overflow a 32-bit integer, potentially allowing an attacker to specify a very small total allocation size while the kernel would later read or write far more memory than intended. This class of bug is a classic user-controlled size overflow, flagged by the smatch static analyzer [1].
Exploitation
Prerequisites The vulnerability is reachable through the IOCTL interface exposed by the amdxdna driver to userspace applications. An attacker needs local access to the system and permission to open the accelerator device (likely chardev). No special privileges beyond normal user access to the device node are required. The attacker supplies crafted values for num_element and element_size such that the multiplication wraps around, typically making the product a small positive number while the actual memory operations use a different size [1].
Impact
A successful exploit could lead to a kernel heap buffer overflow, as the kernel would allocate a small buffer based on the overflowed product but then copy in/out data using the original (much larger) values. This could corrupt adjacent kernel memory, likely resulting in a denial of service (kernel crash). In some configurations, local privilege escalation or arbitrary code execution in kernel context might be achievable, though the patch notes imply no active exploitation was observed at the time of fixing [1].
Mitigation
The fix, committed to the Linux kernel stable tree, adds explicit validation: element_size is capped at 4K and num_element at 1K, preventing the overflow from being triggered. Users should update their kernel to a version containing commit 9e16c8bf9aebf629344cfd4cd5e3dc7d8c3f7d82 or later. No alternative workarounds are documented for unpatched kernels [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.