HIGH Published 2026-05-01

iio LSM6DSX OOB

CVE-2026-31764

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI4.4MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only The st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace writes the buffer sampling frequency sysfs attribute, calls st_lsm6dsx_check_odr(), which accesses the odr_table array at index `sensor->id`; since this array is only 2 entries long, an access for any sensor type other than accelerometer or gyroscope is an out-of-bounds access. The motivation for being able to set a buffer frequency different from the sensor sampling frequency is to support use cases that need accurate event detection (which requires a high sampling frequency) while retrieving sensor data at low frequency. Since all the supported event types are generated from acceleration data only, do not create the buffer sampling frequency attribute for sensor types other than the accelerometer.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Privileged local users (root) with access to IIO sysfs attributes can trigger an out-of-bounds array access in the st_lsm6dsx IMU driver, potentially causing kernel crashes. This affects systems with ST LSM6DSX inertial measurement units where root can write to buffer sampling frequency attributes for non-accelerometer sensors.

Affecteddrivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c (IIO subsystem)

Vulnerability analysis

The vulnerability occurs in st_lsm6dsx_hwfifo_odr_store() when userspace writes to the buffer sampling frequency sysfs attribute. The function calls st_lsm6dsx_check_odr() which accesses odr_table[sensor->id], but this array only has 2 entries for accelerometer and gyroscope sensors. Writing to the attribute for other sensor types (like magnetometer or temperature sensors with sensor->id >= 2) causes an out-of-bounds read. The fix restricts creation of the buffer sampling frequency attribute to accelerometer sensors only, since event detection functionality only uses acceleration data. This prevents the vulnerable code path from being reached for other sensor types.

03Fix Versions

Branch	Fixed in	Patch commit
6.19	6.19.12	`3225a81e8d26`
mainline	7.0	`679c04c10d65`