CVE-2026-31764
Awaiting Analysis Awaiting Analysis - Queue
Buffer Sampling Frequency OOB in ST LSM6DSX Kernel Driver

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only The st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace writes the buffer sampling frequency sysfs attribute, calls st_lsm6dsx_check_odr(), which accesses the odr_table array at index `sensor->id`; since this array is only 2 entries long, an access for any sensor type other than accelerometer or gyroscope is an out-of-bounds access. The motivation for being able to set a buffer frequency different from the sensor sampling frequency is to support use cases that need accurate event detection (which requires a high sampling frequency) while retrieving sensor data at low frequency. Since all the supported event types are generated from acceleration data only, do not create the buffer sampling frequency attribute for sensor types other than the accelerometer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31764
EUVD
EUVD-2026-26577
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stmicroelectronics st_lsm6dsx *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel driver for the st_lsm6dsx sensor. Specifically, the function st_lsm6dsx_hwfifo_odr_store() allows userspace to set the buffer sampling frequency for sensors. It calls another function, st_lsm6dsx_check_odr(), which accesses an array called odr_table using the sensor's ID as an index. However, this array only has two entries, corresponding to the accelerometer and gyroscope sensors. If the sensor type is anything other than these two, the code attempts to access the array out-of-bounds, leading to a potential out-of-bounds memory access.

The root cause is that the buffer sampling frequency attribute is created for all sensor types, but only accelerometer data supports the event types that require this attribute. The fix was to restrict the creation of this attribute to accelerometer sensors only, preventing out-of-bounds access.


How can this vulnerability impact me? :

An out-of-bounds access in kernel code can lead to undefined behavior, including potential system crashes, data corruption, or security issues such as privilege escalation or information disclosure. Since this vulnerability involves accessing memory outside the bounds of an array, it could be exploited to compromise system stability or security.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by ensuring that the buffer sampling frequency sysfs attribute is only created for the accelerometer sensor type, preventing out-of-bounds access in the st_lsm6dsx driver.

Immediate mitigation steps include updating the Linux kernel to a version where this issue is fixed, which restricts the buffer sampling frequency setting to the accelerometer sensor only.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart