Description
In the Linux kernel, the following vulnerability has been resolved:

iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only

The st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace
writes the buffer sampling frequency sysfs attribute, calls
st_lsm6dsx_check_odr(), which accesses the odr_table array at index
`sensor->id`; since this array is only 2 entries long, an access for any
sensor type other than accelerometer or gyroscope is an out-of-bounds
access.

The motivation for being able to set a buffer frequency different from the
sensor sampling frequency is to support use cases that need accurate event
detection (which requires a high sampling frequency) while retrieving
sensor data at low frequency. Since all the supported event types are
generated from acceleration data only, do not create the buffer sampling
frequency attribute for sensor types other than the accelerometer.
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When a user writes a buffer sampling frequency to the st_lsm6dsx driver via a sysfs attribute, the driver checks the desired rate by accessing an array indexed by the sensor’s identifier. The array only contains two entries for the accelerometer and gyroscope, so any attempt to set the frequency for a different sensor type indexes outside the array bounds, exposing kernel memory contents. This out‑of‑bounds read can potentially disclose confidential data and, depending on how the memory is interpreted, could destabilize the kernel. The flaw resides in the st_lsm6dsx driver module of the Linux kernel.

Affected Systems

All Linux kernel builds that include the st_lsm6dsx driver before the patch, including the 7.0 release candidates (rc1 through rc6) and other earlier versions that compile the driver. Systems using the default kernel configuration with the driver enabled are affected.

Risk and Exploitability

The CVSS score of 7.8 indicates a moderate‑to‑high severity. The EPSS score of less than 1% shows a very low exploitation probability at the time of this report. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to have root or elevated privileges capable of writing to the sysfs attribute, making it a local privilege‑escalation scenario rather than a remote attack.

Generated by OpenCVE AI on May 8, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the patched st_lsm6dsx driver code
  • Apply a backport or local patch that limits odr_table access to valid sensor indices
  • As a temporary countermeasure, avoid or disable the buffer_sampling_frequency sysfs attribute for sensors other than the accelerometer

Generated by OpenCVE AI on May 8, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
References

Fri, 01 May 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only The st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace writes the buffer sampling frequency sysfs attribute, calls st_lsm6dsx_check_odr(), which accesses the odr_table array at index `sensor->id`; since this array is only 2 entries long, an access for any sensor type other than accelerometer or gyroscope is an out-of-bounds access. The motivation for being able to set a buffer frequency different from the sensor sampling frequency is to support use cases that need accurate event detection (which requires a high sampling frequency) while retrieving sensor data at low frequency. Since all the supported event types are generated from acceleration data only, do not create the buffer sampling frequency attribute for sensor types other than the accelerometer.
Title iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:21.708Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31764

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:39.523

Modified: 2026-05-08T18:04:24.963

Link: CVE-2026-31764

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31764 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:15:18Z

Weaknesses