diff --git a/src/port/stm32/stm32_eth.c b/src/port/stm32/stm32_eth.c
index 92af661d..88004c4c 100644
--- a/src/port/stm32/stm32_eth.c
+++ b/src/port/stm32/stm32_eth.c
@@ -207,12 +207,14 @@ struct eth_desc {
 #if defined(STM32H7) || defined(STM32N6)
 #define ETH_SECTION __attribute__((section(".eth_buffers")))
 #elif defined(STM32H5)
-/* H5 places ETH descriptors and buffers in the regular .bss region.
- * Both TZEN=0 (TrustZone disabled) and TZEN=1 (NS app under wolfBoot)
- * link RAM into a single NS-accessible region; no separate ETHMEM
- * alias is needed since the CPU and ETH DMA both run in NS world and
- * share the same NS view of physical SRAM. */
-#define ETH_SECTION
+/* H5 pins ETH descriptors and buffers into the .eth_buffers section.
+ * Under TZEN=1, wolfBoot keeps SRAM3 non-secure but PRIVILEGED and
+ * cedes SRAM2 as non-secure + UNPRIVILEGED. The H5 ETH DMA master is
+ * unprivileged, so its descriptors/buffers must live in SRAM2; the
+ * linker script places .eth_buffers at the base of NS RAM (SRAM2 at
+ * 0x20040000). The same macro is used for TZEN=0, which has no
+ * privilege constraint but maps .eth_buffers the same way. */
+#define ETH_SECTION __attribute__((section(".eth_buffers")))
 #endif
 
 /* DMA descriptor / buffer addresses are taken as-is. NS pointers map
diff --git a/src/port/stm32h563/target.ld b/src/port/stm32h563/target.ld
index 77911b7d..0163ce3a 100644
--- a/src/port/stm32h563/target.ld
+++ b/src/port/stm32h563/target.ld
@@ -64,6 +64,17 @@ SECTIONS
         __fini_array_end = .;
     } > FLASH
 
+    /* ETH DMA arena. TrustZone is disabled here so there is no privilege
+     * constraint, but stm32_eth.c emits descriptors/buffers into the
+     * named .eth_buffers section for all STM32H5 builds, so give it an
+     * explicit home in RAM. */
+    .eth_buffers (NOLOAD) :
+    {
+        . = ALIGN(32);
+        KEEP(*(.eth_buffers))
+        . = ALIGN(32);
+    } > RAM
+
     .data :
     {
         . = ALIGN(4);
diff --git a/src/port/stm32h563/target_tzen.ld b/src/port/stm32h563/target_tzen.ld
index da04637e..a604e96b 100644
--- a/src/port/stm32h563/target_tzen.ld
+++ b/src/port/stm32h563/target_tzen.ld
@@ -11,11 +11,15 @@
  * RAM: wolfBoot (patched hal_gtzc_init / hal_tz_sau_init) keeps SRAM1
  * secure for its own use and cedes SRAM2 + SRAM3 to NS:
  *   NS RAM: 0x20040000 .. 0x2009FFFF (384 KB, SRAM2 + SRAM3)
+ * SRAM2 (0x20040000, 64 KB) is non-secure + UNPRIVILEGED; SRAM3
+ * (0x20050000, 320 KB) is non-secure + PRIVILEGED. The .eth_buffers
+ * section is placed first so the ETH DMA descriptors/buffers land in
+ * SRAM2: the H5 ETH DMA master is unprivileged and can only reach the
+ * unprivileged window. The privileged NS CPU uses the rest of RAM.
  *
  * The NS app runs in Non-Secure world; plain LDR/STR carry HNONSEC=1,
  * matching the H5 product-default NS attribution for the ETH peripheral
- * and DMA. ETH descriptors and buffers live in the same NS RAM region
- * as everything else -- no separate ETHMEM alias is needed.
+ * and DMA.
  */
 
 MEMORY
@@ -78,6 +82,18 @@ SECTIONS
         __fini_array_end = .;
     } > FLASH
 
+    /* ETH DMA arena: placed first in RAM (RAM ORIGIN = 0x20040000 =
+     * SRAM2 base) so descriptors/buffers stay in the unprivileged SRAM2
+     * window reachable by the unprivileged ETH DMA master. NOLOAD: no
+     * FLASH load image, so LOADADDR(.data) below is unaffected. */
+    .eth_buffers (NOLOAD) :
+    {
+        . = ALIGN(32);
+        KEEP(*(.eth_buffers))
+        . = ALIGN(32);
+    } > RAM
+    ASSERT(. <= 0x20050000, ".eth_buffers must fit within SRAM2 (0x20040000-0x2004FFFF)")
+
     .data :
     {
         . = ALIGN(4);