Skip to main content

Linux Kernel CVE-2026-31764

| EUVDEUVD-2026-26577 HIGH
Improper Validation of Array Index (CWE-129)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 20:31 vuln.today
CVSS changed
May 08, 2026 - 18:07 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26577
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only

The st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace writes the buffer sampling frequency sysfs attribute, calls st_lsm6dsx_check_odr(), which accesses the odr_table array at index sensor->id; since this array is only 2 entries long, an access for any sensor type other than accelerometer or gyroscope is an out-of-bounds access.

The motivation for being able to set a buffer frequency different from the sensor sampling frequency is to support use cases that need accurate event detection (which requires a high sampling frequency) while retrieving sensor data at low frequency. Since all the supported event types are generated from acceleration data only, do not create the buffer sampling frequency attribute for sensor types other than the accelerometer.

AnalysisAI

Out-of-bounds array access in the st_lsm6dsx IMU driver allows local authenticated users with low privileges to achieve high-impact code execution, data disclosure, or denial of service. The vulnerability exists in the buffer sampling frequency sysfs handler, which fails to validate sensor type before indexing a 2-entry array with sensor IDs beyond accelerometer and gyroscope. Exploitation requires write access to sysfs attributes for non-standard sensor types in the driver. EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available for Linux 6.19.12 and 7.0.

Technical ContextAI

The st_lsm6dsx driver controls STMicroelectronics LSM6DSx series inertial measurement units (IMUs) in the Industrial I/O (IIO) subsystem. The vulnerability is a classic CWE-129 (Improper Validation of Array Index) in st_lsm6dsx_hwfifo_odr_store(), which handles writes to the buffer sampling frequency sysfs attribute. When userspace writes this attribute, the code calls st_lsm6dsx_check_odr() with sensor->id as an index into the odr_table array without bounds checking. Since odr_table contains only two entries (indices 0 and 1 for accelerometer and gyroscope respectively), any sensor type with id >= 2 causes out-of-bounds memory access. The affected CPE cpe:2.3:a:linux:linux indicates this is a Linux kernel component vulnerability. The fix restricts buffer sampling frequency attribute creation to accelerometer sensors only, as the feature's use case (accurate event detection at high sampling rates while retrieving data at low rates) applies exclusively to acceleration-based events in this driver architecture.

RemediationAI

Upgrade to Linux kernel 6.19.12 or 7.0, which restrict buffer sampling frequency sysfs attribute creation to accelerometer sensors only, eliminating the out-of-bounds access path. Distribution users should apply vendor security updates containing backported fixes-check advisories from Red Hat (RHSA), Ubuntu (USN), Debian (DSA), and SUSE (SUSE-SU) for respective kernel packages. For systems unable to update immediately, compensating controls include restricting write access to /sys/bus/iio/devices/iio:deviceX/buffer/sampling_frequency and related sysfs attributes to trusted administrative users only via filesystem permissions or MAC policies (SELinux, AppArmor). Note that restricting sysfs access may break legitimate userspace IIO applications that adjust sampling rates. For embedded systems, if LSM6DSx IMU functionality is not required, disable or do not load the st_lsm6dsx kernel module via modprobe blacklist. Verify fix application by checking kernel version with 'uname -r' and confirming patch commits 679c04c10d65 or 3225a81e8d26 are present in your kernel source tree.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy