CVE-2026-43307 Overview
CVE-2026-43307 is a Linux kernel vulnerability in the iio/accel/adxl380 driver. The flaw resides in the interrupt handler logic that reads FIFO entries from the Analog Devices ADXL380 accelerometer. The handler reads samples in batches of N, where N equals the number of enabled scan elements. Because the sensor fills the FIFO one sample at a time, the entry count returned by the status registers may not be a multiple of N. When this occurs, the driver reads more entries than are actually present in the FIFO, resulting in an out-of-bounds read condition within kernel space.
Critical Impact
A local authenticated attacker can leverage the FIFO over-read on systems using the ADXL380 driver to compromise kernel-level confidentiality, integrity, and availability.
Affected Products
- Linux Kernel (mainline iio/accel/adxl380 driver)
- Stable kernel branches prior to commits a40f316085985, a8e88edfd69d, c1b14015224c, and f42ddb2945ae
- Distributions shipping unpatched kernels that enable the ADXL380 IIO accelerometer driver
Discovery Timeline
- 2026-05-08 - CVE-2026-43307 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43307
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in the Industrial I/O (IIO) accelerometer driver for the Analog Devices ADXL380 sensor. The interrupt service routine retrieves buffered samples from the device's hardware FIFO based on a count reported by status registers. The driver assumes this count is a multiple of N, the number of enabled scan channels, and processes data in fixed-size batches.
When the FIFO entry count is not aligned to N, the driver iterates past the valid sample region. The over-read returns stale or uninitialized hardware register data into kernel buffers, which may then be exposed to user space through the IIO buffer interface. Depending on memory layout, the condition can also corrupt the driver's internal accounting and destabilize the subsystem.
Root Cause
The root cause is missing input validation on the FIFO entry count returned by the sensor. The driver did not round the value down to the nearest multiple of N before issuing batched reads. The upstream fix, applied across commits a40f316085985, a8e88edfd69d, c1b14015224c, and f42ddb2945ae, rounds the FIFO entry count down so that the read loop never exceeds the number of samples actually present.
Attack Vector
Exploitation requires local access with permissions to interact with the IIO buffer device files, typically under /dev/iio:deviceX or /sys/bus/iio/devices/. An attacker with rights to configure scan elements and trigger sampling on the ADXL380 device can manipulate channel enablement to induce non-aligned FIFO states. No user interaction is required, and the impact is confined to systems where the ADXL380 sensor and driver are present, which limits the realistic attack surface to embedded platforms and devices integrating this accelerometer.
Detection Methods for CVE-2026-43307
Indicators of Compromise
- Unexpected kernel log entries from the adxl380 driver referencing FIFO read anomalies or buffer underruns.
- Anomalous user-space processes opening /dev/iio:device* nodes associated with the ADXL380 and toggling scan_elements configurations repeatedly.
- Kernel oops, panic, or KASAN reports referencing adxl380_fifo_push or related IIO buffer functions.
Detection Strategies
- Inventory running kernel versions and compare against the patched stable commits to identify exposed hosts.
- Enable Kernel Address Sanitizer (KASAN) on test images to surface out-of-bounds reads during driver fuzzing.
- Audit udev rules and permissions on IIO device nodes to identify which users and services can access the ADXL380 interface.
Monitoring Recommendations
- Forward dmesg and journald kernel facility logs to a centralized log store and alert on adxl380-tagged warnings.
- Monitor for unauthorized processes reading from /sys/bus/iio/devices/ or writing to buffer/enable sysfs entries.
- Track kernel package versions across the fleet and alert when hosts run kernels older than the fixed stable releases.
How to Mitigate CVE-2026-43307
Immediate Actions Required
- Update the Linux kernel to a stable release that includes the upstream fix from commits a40f316085985, a8e88edfd69d, c1b14015224c, or f42ddb2945ae.
- Restrict access to IIO device files so that only trusted system services and users can interact with the ADXL380 sensor.
- Reboot affected systems after kernel updates to ensure the patched driver replaces the vulnerable in-memory module.
Patch Information
The fix rounds the FIFO entry count read from the status registers down to the nearest multiple of N, guaranteeing the read loop never exceeds the number of samples present. Patches are available in the upstream stable tree. Refer to the Kernel Git Commit a40f316085985, Kernel Git Commit a8e88edfd69d, Kernel Git Commit c1b14015224c, and Kernel Git Commit f42ddb2945ae.
Workarounds
- Blacklist the adxl380 kernel module on systems that do not require the accelerometer, preventing the vulnerable code path from loading.
- Tighten file permissions on /dev/iio:device* nodes to root-only access until the patch is deployed.
- Disable user-space access to IIO buffer triggers by removing or restricting non-essential udev rules that expose the sensor.
# Configuration example: blacklist the adxl380 module and restrict IIO device access
echo "blacklist adxl380" | sudo tee /etc/modprobe.d/disable-adxl380.conf
sudo depmod -a
sudo update-initramfs -u
# Restrict IIO device node permissions via udev
cat <<EOF | sudo tee /etc/udev/rules.d/90-iio-restrict.rules
KERNEL=="iio:device*", MODE="0600", OWNER="root", GROUP="root"
EOF
sudo udevadm control --reload-rules && sudo udevadm trigger
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
