CVE-2025-71198 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection

The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL event_spec field, indicating support for IIO events. However, event detection is not supported for all sensors, and if userspace tries to configure accelerometer wakeup events on a sensor device that does not support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL pointer when trying to write to the wakeup register. Define an additional struct iio_chan_spec array whose members have a NULL event_spec field, and use this array instead of st_lsm6dsx_acc_channels for sensors without event detection capability.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/30/2026

The vulnerability CVE-2025-71198 affects the Linux kernel's industrial I/O (IIO) subsystem, specifically within the st_lsm6dsx driver that manages STMicroelectronics LSM6DSX family inertial measurement units. This issue stems from an improper handling of sensor channel specifications where the driver incorrectly assumes all devices in the LSM6DSX family support event detection capabilities. The flaw manifests when attempting to configure accelerometer wakeup events on sensors that lack this functionality, creating a critical null pointer dereference condition.

The technical implementation flaw resides in the st_lsm6dsx_acc_channels array definition which contains struct iio_chan_spec entries with non-NULL event_spec fields, signaling event support to the IIO subsystem. However, this assumption is incorrect for certain variants like the LSM6DS0 sensor, which lacks hardware support for event detection. When userspace applications attempt to configure wakeup events on these unsupported devices, the st_lsm6dsx_write_event() function executes a null pointer dereference operation when accessing the wakeup register, leading to potential system crashes or privilege escalation opportunities.

This vulnerability impacts the operational integrity of embedded systems relying on the Linux kernel's IIO framework for sensor data acquisition and event handling. The flaw represents a classic software design error where hardware capability assumptions are not properly validated before executing device-specific operations. The issue affects devices that utilize the st_lsm6dsx driver for accelerometer data collection and potentially wakeup event configuration, which are common in mobile devices, IoT sensors, and embedded automotive systems. The null pointer dereference creates an execution path that can be exploited to cause system instability or potentially gain elevated privileges depending on the system's security configuration.

The fix implements a dual-array approach by defining an additional struct iio_chan_spec array that properly sets event_spec fields to NULL for sensors lacking event detection capabilities. This solution directly addresses the root cause by ensuring that only sensors with actual hardware support for event detection are presented with event configuration interfaces. The implementation follows established security principles by avoiding assumptions about hardware capabilities and implementing proper device capability validation before executing sensitive operations. This approach aligns with CWE-476 which addresses null pointer dereference vulnerabilities and follows ATT&CK technique T1068 by preventing privilege escalation through kernel memory corruption vulnerabilities. The mitigation strategy ensures that device drivers properly enumerate supported features and prevents erroneous configuration attempts that could lead to system instability or security breaches.

Responsible

Linux

Reservation

01/31/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!