HIGH
iio MPU3050 Registration Race
CVE-2026-31761
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050: Move iio_device_register() to correct location iio_device_register() should be at the end of the probe function to prevent race conditions. Place iio_device_register() at the end of the probe function and place iio_device_unregister() accordingly.
02KernelScan AI Analysis
Risk summary
A race condition in the MPU-3050 gyroscope driver could allow local attackers to access an incompletely initialized device, potentially causing system crashes or undefined behavior. The vulnerability occurs during device initialization when the IIO interface becomes available before all driver resources are properly set up.
Vulnerability analysis
Root Cause: The iio_device_register() function was called too early in the probe function, before all device initialization was complete. This created a race condition where userspace could access the device through the IIO subsystem before the driver had finished setting up interrupts, power management, and other critical resources.
Attack Surface: Local access required. The vulnerability affects the MPU-3050 gyroscope driver initialization sequence. An attacker would need local access to trigger device probing (e.g., through device hotplug or module loading) and attempt to access the IIO device interface during the narrow race window.
Fix Mechanism: The patch moves iio_device_register() to the very end of the probe function, after all initialization is complete including IRQ setup and power management configuration. It also reorders iio_device_unregister() to be called first in the remove function to maintain proper cleanup ordering.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 22487ef85f6d |
| 5.15 | 5.15.203 | caec338f9146 |
| 6.1 | 6.1.168 | 051ca43b0e0e |
| 6.12 | 6.12.81 | 92f18aa86302 |
| 6.18 | 6.18.22 | cc3de12a5612 |
| 6.19 | 6.19.12 | 59a317f82156 |
| 6.6 | 6.6.134 | 2a4537653d20 |
| mainline | 7.0 | 4c0579944910 |