CVE-2025-71198 Overview
CVE-2025-71198 is a Null Pointer Dereference vulnerability in the Linux kernel's IIO (Industrial I/O) subsystem, specifically affecting the st_lsm6dsx driver used for ST Microelectronics 6-axis IMU sensors. The vulnerability occurs when userspace attempts to configure accelerometer wakeup events on sensor devices that do not support event detection capabilities.
The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL event_spec field, incorrectly indicating support for IIO events across all supported sensors. However, event detection is not universally supported, and when userspace tries to configure accelerometer wakeup events on unsupported devices (such as the LSM6DS0), the st_lsm6dsx_write_event() function dereferences a NULL pointer while attempting to write to the wakeup register.
Critical Impact
Local users can trigger a kernel NULL pointer dereference by configuring wakeup events on unsupported st_lsm6dsx sensor devices, potentially causing system instability or denial of service.
Affected Products
- Linux kernel with st_lsm6dsx IIO driver
- Systems using ST Microelectronics LSM6DS0 IMU sensors
- Linux kernel IIO subsystem with event detection enabled
Discovery Timeline
- February 4, 2026 - CVE-2025-71198 published to NVD
- February 5, 2026 - Last updated in NVD database
Technical Details for CVE-2025-71198
Vulnerability Analysis
This vulnerability stems from an improper initialization of channel specification structures in the st_lsm6dsx driver. The driver defines a single iio_chan_spec array (st_lsm6dsx_acc_channels) that includes event specification pointers for all supported sensors, regardless of whether individual sensor variants actually support event detection functionality.
When a user attempts to configure wakeup events through the IIO subsystem interface on a sensor that lacks hardware event detection support (such as the LSM6DS0), the st_lsm6dsx_write_event() function is called. This function attempts to access wakeup register configuration through a pointer that is NULL for unsupported sensors, resulting in a kernel NULL pointer dereference.
The vulnerability requires local access to the system and the ability to interact with the IIO subsystem interfaces, typically through sysfs or ioctl calls. While this limits the attack surface, any local user with access to the IIO device interfaces could potentially trigger the vulnerability.
Root Cause
The root cause of this vulnerability is the use of a single struct iio_chan_spec array with non-NULL event_spec fields for all supported sensor variants, without considering that some sensors (like LSM6DS0) do not have hardware support for event detection. The driver lacked proper differentiation between sensors with and without event detection capabilities at the channel specification level.
Attack Vector
An attacker with local access to the system can exploit this vulnerability by:
- Identifying a system using an st_lsm6dsx-compatible sensor without event detection support
- Accessing the IIO subsystem interface for the accelerometer device
- Attempting to configure accelerometer wakeup events through the standard IIO event configuration interface
- Triggering the NULL pointer dereference in st_lsm6dsx_write_event() when the driver attempts to write to the non-existent wakeup register
The exploitation does not require elevated privileges beyond access to the IIO device interfaces, making it accessible to unprivileged local users on affected systems.
Detection Methods for CVE-2025-71198
Indicators of Compromise
- Kernel panic or oops messages referencing st_lsm6dsx_write_event function
- System instability or crashes when applications interact with LSM6DS0 or similar IMU sensors
- Kernel log entries showing NULL pointer dereference in the IIO subsystem
- Unexpected termination of processes accessing IIO accelerometer event configuration
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors in the st_lsm6dsx driver module
- Implement kernel auditing for IIO subsystem event configuration operations
- Deploy file integrity monitoring on kernel modules to detect unauthorized modifications
- Use SentinelOne's kernel-level monitoring to detect anomalous driver behavior and crash patterns
Monitoring Recommendations
- Enable kernel crash dump collection to capture detailed information on NULL pointer dereferences
- Configure alerting for repeated kernel oops or panics related to IIO drivers
- Monitor for unusual patterns of IIO device access that could indicate exploitation attempts
How to Mitigate CVE-2025-71198
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Restrict access to IIO device interfaces to trusted users and applications only
- Consider disabling the st_lsm6dsx driver module on systems where the affected sensors are not required
- Monitor systems for signs of exploitation attempts while patches are being deployed
Patch Information
The Linux kernel maintainers have released patches that define an additional struct iio_chan_spec array with NULL event_spec fields for sensors without event detection capability. The fix ensures that sensors like LSM6DS0 use the appropriate channel specification array that does not advertise unsupported event detection features.
Multiple kernel commits address this vulnerability across different stable branches:
Workarounds
- Blacklist the st_lsm6dsx kernel module on systems where the sensor is not required using /etc/modprobe.d/
- Restrict device file permissions for IIO devices to prevent unauthorized access
- Implement SELinux or AppArmor policies to limit which processes can access IIO subsystem interfaces
# Blacklist the vulnerable driver module if not required
echo "blacklist st_lsm6dsx" | sudo tee /etc/modprobe.d/st_lsm6dsx-blacklist.conf
sudo update-initramfs -u
# Restrict IIO device access (adjust paths as needed)
sudo chmod 600 /sys/bus/iio/devices/*/events/*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
