Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71198

CVE-2025-71198: Linux Kernel st_lsm6dsx NULL Pointer Bug

CVE-2025-71198 is a NULL pointer dereference flaw in the Linux kernel st_lsm6dsx IIO driver that affects sensors without event detection. This article covers the technical details, affected systems, and mitigation.

Updated:

CVE-2025-71198 Overview

CVE-2025-71198 is a NULL pointer dereference vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically in the st_lsm6dsx IMU (Inertial Measurement Unit) driver. The st_lsm6dsx_acc_channels array of struct iio_chan_spec declared a non-NULL event_spec field, signaling IIO event support for all sensors using the driver. However, several supported sensors such as the LSM6DS0 do not implement event detection. When userspace configures accelerometer wakeup events on these sensors, st_lsm6dsx_write_event() dereferences a NULL pointer while writing to the wakeup register.

Critical Impact

Local users with access to IIO sysfs interfaces can trigger a kernel NULL pointer dereference, causing a denial-of-service condition on affected Linux systems.

Affected Products

  • Linux kernel versions containing the st_lsm6dsx IIO IMU driver
  • Systems integrating STMicroelectronics LSM6DSx-family sensors without event detection (e.g., LSM6DS0)
  • Embedded and IoT platforms exposing IIO event sysfs nodes to unprivileged userspace

Discovery Timeline

  • 2026-02-04 - CVE CVE-2025-71198 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-71198

Vulnerability Analysis

The Linux IIO framework allows userspace to register for hardware events such as accelerometer wakeup interrupts through sysfs attributes under /sys/bus/iio/devices/. Each channel description (struct iio_chan_spec) advertises supported events using the event_spec pointer. The st_lsm6dsx driver shared a single st_lsm6dsx_acc_channels array across every device variant it supports.

This shared array unconditionally populated event_spec, even for sensor variants whose hardware lacks wakeup-event registers. When a process wrote to the corresponding event-enable sysfs attribute, the kernel routed the call to st_lsm6dsx_write_event(), which then dereferenced configuration data assumed to exist for the device. On variants like the LSM6DS0, that data is absent, producing a NULL pointer dereference inside kernel context.

Root Cause

The root cause is improper input validation and incorrect channel metadata: a single iio_chan_spec array advertised event support for sensors that do not implement it. The driver did not validate whether the underlying device actually supports event registers before writing to them, resulting in dereference of an uninitialized pointer.

Attack Vector

Exploitation requires local access to the system and permission to write to IIO sysfs attributes for the affected sensor. An attacker with such access can write to the event-enable attribute corresponding to accelerometer wakeup, triggering the dereference. The result is a kernel oops or panic, leading to denial of service. No remote attack vector is documented, and no public exploit is available.

The upstream fix introduces an additional struct iio_chan_spec array whose entries leave event_spec set to NULL. The driver now selects this array for sensor variants without event-detection capability, preventing userspace from reaching the vulnerable code path.

Detection Methods for CVE-2025-71198

Indicators of Compromise

  • Kernel oops or panic messages referencing st_lsm6dsx_write_event in dmesg or /var/log/kern.log
  • Unexpected reboots or kernel crashes on devices using STMicroelectronics LSM6DSx-family IMUs
  • Userspace processes writing to IIO event sysfs attributes on sensors lacking event hardware

Detection Strategies

  • Audit kernel ring buffer output for NULL pointer dereference traces involving the iio or st_lsm6dsx modules
  • Inventory devices using the st_lsm6dsx driver and identify variants such as LSM6DS0 that lack event detection
  • Monitor process activity touching /sys/bus/iio/devices/iio:device*/events/ paths on affected hardware

Monitoring Recommendations

  • Forward kernel logs to a centralized logging or SIEM platform and alert on crash signatures matching st_lsm6dsx_write_event
  • Track installed kernel package versions across the fleet to confirm patch deployment
  • Establish baseline access patterns for IIO sysfs nodes and flag anomalous writes from unprivileged processes

How to Mitigate CVE-2025-71198

Immediate Actions Required

  • Update affected systems to a Linux kernel release that includes the upstream fix for the st_lsm6dsx driver
  • Restrict write access to IIO event sysfs attributes through filesystem permissions or LSM policies
  • Identify and prioritize embedded and IoT devices using LSM6DSx-family sensors for kernel updates

Patch Information

The vulnerability is resolved across multiple stable branches via the following upstream commits: 4d60ffcdedfe, 7673167fac93, 81ed6e42d6e5, and c34e2e2d67b3. The patch defines a separate iio_chan_spec array with NULL event_spec entries and assigns it to sensor variants without event detection.

Workarounds

  • Restrict permissions on /sys/bus/iio/devices/iio:device*/events/ to root-only access where supported by the platform
  • Unload or blacklist the st_lsm6dsx driver on systems that do not require IMU functionality
  • Apply mandatory access control policies (SELinux, AppArmor) to prevent untrusted processes from writing IIO event attributes
bash
# Restrict IIO event sysfs access until the kernel patch is deployed
find /sys/bus/iio/devices -path '*/events/*' -type f -exec chmod 600 {} \;

# Verify the running kernel version contains the fix
uname -r
dmesg | grep -i st_lsm6dsx

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.