CVE-2026-31764 - Vulnerability Details

- iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only

Description

In the Linux kernel, the following vulnerability has been resolved:

iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only

The st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace
writes the buffer sampling frequency sysfs attribute, calls
st_lsm6dsx_check_odr(), which accesses the odr_table array at index
`sensor->id`; since this array is only 2 entries long, an access for any
sensor type other than accelerometer or gyroscope is an out-of-bounds
access.

The motivation for being able to set a buffer frequency different from the
sensor sampling frequency is to support use cases that need accurate event
detection (which requires a high sampling frequency) while retrieving
sensor data at low frequency. Since all the supported event types are
generated from acceleration data only, do not create the buffer sampling
frequency attribute for sensor types other than the accelerometer.

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the st_lsm6dsx driver part of the Linux kernel. When userspace writes a buffer sampling frequency to a sysfs attribute, the driver calls a function that accesses an array using the sensor’s identifier. Because the array contains only two entries, using a sensor type other than the accelerometer or gyroscope causes an out‑of‑bounds read. This can expose internal kernel memory contents and may lead to a denial‑of‑service if the read corrupts control data. The flaw does not directly allow arbitrary code execution but can compromise confidentiality or cause instability.

Affected Systems

The flaw affects Linux kernel installations that include the st_lsm6dsx driver. All vendors using the stock Linux kernel with this driver, regardless of distribution, are potentially impacted. No specific kernel version is listed, so the problem likely exists in any kernel built with the existing driver code.

Risk and Exploitability

The CVSS and EPSS metrics are not reported, and the vulnerability is not listed in CISA’s KEV catalog, implying no publicly known exploitation yet. The required write to the sysfs attribute typically requires elevated privileges, so the attack vector is local privilege escalation or a user with root access. Although the blast radius is limited to the kernel process, the out‑of‑bounds read could compromise sensitive data or cause a crash, making the risk moderate if the kernel is not patched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6b648a36c200dfd3e776e657a4c8a8ce63fb52d3`	affected	< 3225a81e8d264442b14c7c1bc965ebafa3c0ee01
`6b648a36c200dfd3e776e657a4c8a8ce63fb52d3`	affected	< 679c04c10d65d32a3f269e696b22912ff0a001b9

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6b648a36c200dfd3e776e657a4c8a8ce63fb52d3,3225a81e8d264442b14c7c1bc965ebafa3c0ee01)`	affected	code_commit	—
`[6b648a36c200dfd3e776e657a4c8a8ce63fb52d3,679c04c10d65d32a3f269e696b22912ff0a001b9)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	semver	—
`[0,6.19)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that contains the fixed st_lsm6dsx driver code
Reboot after updating to ensure the patched driver is loaded
Verify that the vulnerable sysfs attribute is no longer accessible by removing or disabling the buffer sampling configuration for non‑accelerometer sensors

Generated by OpenCVE AI on May 1, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3225a81e8d264442b14c7c1bc965ebafa3c0ee01
https://git.kernel.org/stable/c/679c04c10d65d32a3f269e696b22912ff0a001b9
https://lore.kernel.org/linux-cve-announce/2026050146-CVE-2026-31764-8607@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31764
https://www.cve.org/CVERecord?id=CVE-2026-31764

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050146-CVE-2026-31764-8607@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31764 https://www.cve.org/CVERecord?id=CVE-2026-31764

Fri, 01 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only The st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace writes the buffer sampling frequency sysfs attribute, calls st_lsm6dsx_check_odr(), which accesses the odr_table array at index `sensor->id`; since this array is only 2 entries long, an access for any sensor type other than accelerometer or gyroscope is an out-of-bounds access. The motivation for being able to set a buffer frequency different from the sensor sampling frequency is to support use cases that need accurate event detection (which requires a high sampling frequency) while retrieving sensor data at low frequency. Since all the supported event types are generated from acceleration data only, do not create the buffer sampling frequency attribute for sensor types other than the accelerometer.
Title		iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3225a81e8d264442b14c7c1bc965ebafa3c0ee01 https://git.kernel.org/stable/c/679c04c10d65d32a3f269e696b22912ff0a001b9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:55.230Z

Updated: 2026-05-01T14:14:55.230Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31764

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:39.523

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31764

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31764 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-01T23:30:06Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object