Bug 2464500 (CVE-2026-31764) - CVE-2026-31764 kernel: iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only
Summary: CVE-2026-31764 kernel: iio: imu: st_lsm6dsx: Set buffer sampling frequency fo...
Keywords:
Status: NEW
Alias: CVE-2026-31764
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 15:10 UTC by OSIDB Bzimport
Modified: 2026-05-01 22:48 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:10:14 UTC 
In the Linux kernel, the following vulnerability has been resolved:

iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only

The st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace
writes the buffer sampling frequency sysfs attribute, calls
st_lsm6dsx_check_odr(), which accesses the odr_table array at index
`sensor->id`; since this array is only 2 entries long, an access for any
sensor type other than accelerometer or gyroscope is an out-of-bounds
access.

The motivation for being able to set a buffer frequency different from the
sensor sampling frequency is to support use cases that need accurate event
detection (which requires a high sampling frequency) while retrieving
sensor data at low frequency. Since all the supported event types are
generated from acceleration data only, do not create the buffer sampling
frequency attribute for sensor types other than the accelerometer.
Comment 1 Keith Grant 2026-05-01 22:46:51 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050146-CVE-2026-31764-8607@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.