CVE-2026-43357 - Vulnerability Details

- iio: gyro: mpu3050-core: fix pm_runtime error handling

Description

In the Linux kernel, the following vulnerability has been resolved:

iio: gyro: mpu3050-core: fix pm_runtime error handling

The return value of pm_runtime_get_sync() is not checked, allowing
the driver to access hardware that may fail to resume. The device
usage count is also unconditionally incremented. Use
pm_runtime_resume_and_get() which propagates errors and avoids
incrementing the usage count on failure.

In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()
failure since postdisable does not run when preenable fails.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel mpu3050‑core driver fails to verify the return value of pm_runtime_get_sync(), which means it may attempt to access MPU3050 hardware that has not successfully resumed from a low‑power state. In addition, the driver unconditionally increments the usage counter even when power‑resume fails. This flaw matches CWE‑390 (Run a program after detecting an error) and can cause the kernel to interact with a device that is not in the expected state, leading to unreliable device operation and incorrect power‑state accounting.

Affected Systems

All Linux kernel builds that include the unpatched mpu3050‑core driver are affected. The CVE references list general Linux kernel environments without specifying exact versions, so any kernel configuration containing this driver without the recent patch is potentially vulnerable.

Risk and Exploitability

The EPSS score is less than 1 % and the CVSS score is 5.5, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local access to a system that uses an MPU3050 sensor and the Linux kernel; this inference is drawn from the description indicating the flaw affects kernel power‑management. The flaw does not enable code execution or arbitrary system compromise. The overall risk is limited primarily to unreliable device operation and inaccurate power‑state accounting, and no known public exploits target this issue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3904b28efb2c780c23dcddfb87e07fe0230661e5`	affected	< 935f57dd43492240e1ca220dd065d624efece6be
`3904b28efb2c780c23dcddfb87e07fe0230661e5`	affected	< 8544c488e50206f00630a8bbba43d2c8bd290345
`3904b28efb2c780c23dcddfb87e07fe0230661e5`	affected	< 35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677
`3904b28efb2c780c23dcddfb87e07fe0230661e5`	affected	< 2a86a396aa001a9f9ba2d37dda36573a76f17c90
`3904b28efb2c780c23dcddfb87e07fe0230661e5`	affected	< 66c0d1d600e7be034959cf49edab104cb5a39258
`3904b28efb2c780c23dcddfb87e07fe0230661e5`	affected	< 42685cf96e28262e0b84d74447f3d99f3f6a72e0
`3904b28efb2c780c23dcddfb87e07fe0230661e5`	affected	< 7a3dec5b265cf87678b10c98a72a435a8e769bb7
`3904b28efb2c780c23dcddfb87e07fe0230661e5`	affected	< acc3949aab3e8094641a9c7c2768de1958c88378

Linux

affected

Version	Status	Constraints
`4.10`	affected	—
`0`	unaffected	< 4.10
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3904b28efb2c780c23dcddfb87e07fe0230661e5,935f57dd43492240e1ca220dd065d624efece6be)`	affected	code_commit	—
`[3904b28efb2c780c23dcddfb87e07fe0230661e5,8544c488e50206f00630a8bbba43d2c8bd290345)`	affected	code_commit	—
`[3904b28efb2c780c23dcddfb87e07fe0230661e5,35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677)`	affected	code_commit	—
`[3904b28efb2c780c23dcddfb87e07fe0230661e5,2a86a396aa001a9f9ba2d37dda36573a76f17c90)`	affected	code_commit	—
`[3904b28efb2c780c23dcddfb87e07fe0230661e5,66c0d1d600e7be034959cf49edab104cb5a39258)`	affected	code_commit	—
`[3904b28efb2c780c23dcddfb87e07fe0230661e5,42685cf96e28262e0b84d74447f3d99f3f6a72e0)`	affected	code_commit	—
`[3904b28efb2c780c23dcddfb87e07fe0230661e5,7a3dec5b265cf87678b10c98a72a435a8e769bb7)`	affected	code_commit	—
`[3904b28efb2c780c23dcddfb87e07fe0230661e5,acc3949aab3e8094641a9c7c2768de1958c88378)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.10`	affected	semver	—
`[0,4.10)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the mpu3050‑core driver patch described in the CVE fix
Rebuild the kernel or the MPU3050 driver from source that incorporates the corrected pm_runtime_resume_and_get() handling
Reboot the system so the updated driver is loaded and the runtime power‑management state is reset

Generated by OpenCVE AI on May 15, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2a86a396aa001a9f9ba2d37dda36573a76f17c90
https://git.kernel.org/stable/c/35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677
https://git.kernel.org/stable/c/42685cf96e28262e0b84d74447f3d99f3f6a72e0
https://git.kernel.org/stable/c/66c0d1d600e7be034959cf49edab104cb5a39258
https://git.kernel.org/stable/c/7a3dec5b265cf87678b10c98a72a435a8e769bb7
https://git.kernel.org/stable/c/8544c488e50206f00630a8bbba43d2c8bd290345
https://git.kernel.org/stable/c/935f57dd43492240e1ca220dd065d624efece6be
https://git.kernel.org/stable/c/acc3949aab3e8094641a9c7c2768de1958c88378
https://lore.kernel.org/linux-cve-announce/2026050824-CVE-2026-43357-4d3f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43357
https://www.cve.org/CVERecord?id=CVE-2026-43357

History

Fri, 15 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 12 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-682

Tue, 12 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-390
References		https://lore.kernel.org/linux-cve-announce/2026050824-CVE-2026-43357-4d3f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43357 https://www.cve.org/CVERecord?id=CVE-2026-43357

Fri, 08 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-682

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050-core: fix pm_runtime error handling The return value of pm_runtime_get_sync() is not checked, allowing the driver to access hardware that may fail to resume. The device usage count is also unconditionally incremented. Use pm_runtime_resume_and_get() which propagates errors and avoids incrementing the usage count on failure. In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate() failure since postdisable does not run when preenable fails.
Title		iio: gyro: mpu3050-core: fix pm_runtime error handling
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2a86a396aa001a9f9ba2d37dda36573a76f17c90 https://git.kernel.org/stable/c/35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677 https://git.kernel.org/stable/c/42685cf96e28262e0b84d74447f3d99f3f6a72e0 https://git.kernel.org/stable/c/66c0d1d600e7be034959cf49edab104cb5a39258 https://git.kernel.org/stable/c/7a3dec5b265cf87678b10c98a72a435a8e769bb7 https://git.kernel.org/stable/c/8544c488e50206f00630a8bbba43d2c8bd290345 https://git.kernel.org/stable/c/935f57dd43492240e1ca220dd065d624efece6be https://git.kernel.org/stable/c/acc3949aab3e8094641a9c7c2768de1958c88378

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:13.050Z

Updated: 2026-05-11T22:23:00.799Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43357

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T15:16:46.477

Modified: 2026-05-15T16:03:01.143

Link: CVE-2026-43357

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43357 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-15T18:15:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object