CVE-2026-43357 Overview
CVE-2026-43357 is a Linux kernel vulnerability in the iio: gyro: mpu3050-core driver. The driver fails to check the return value of pm_runtime_get_sync(), allowing access to hardware that may have failed to resume. The device usage count is also unconditionally incremented, which can corrupt power management state and lead to instability. The fix replaces the call with pm_runtime_resume_and_get(), which propagates errors correctly and avoids incrementing the usage count on failure. The preenable path also adds pm_runtime_put_autosuspend() on set_8khz_samplerate() failure, since postdisable does not run when preenable fails.
Critical Impact
A local, low-privileged user interacting with the MPU3050 gyroscope driver can trigger driver misbehavior or kernel-level denial of service through unchecked PM runtime resume failures.
Affected Products
- Linux Kernel (multiple stable branches prior to the fix)
- Linux Kernel 7.0-rc1
- Linux Kernel 7.0-rc2 and 7.0-rc3
Discovery Timeline
- 2026-05-08 - CVE-2026-43357 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43357
Vulnerability Analysis
The defect resides in the Industrial I/O (IIO) subsystem driver mpu3050-core, which manages the InvenSense MPU-3050 gyroscope. The driver invokes pm_runtime_get_sync() to resume the device but never inspects the return value. When runtime resume fails, the hardware remains unready while the driver proceeds to perform register accesses against it.
A further side effect is that pm_runtime_get_sync() increments the device usage counter regardless of resume success. The counter therefore drifts upward on every failed resume, leaving the device pinned in an inconsistent power state. This can prevent autosuspend from ever taking effect and produces cascading PM reference imbalances.
The preenable callback compounds the issue. If set_8khz_samplerate() fails after a successful resume, the driver returns without releasing the runtime PM reference, because postdisable only executes when preenable succeeds. The result is a leaked reference per failed buffer enable.
Root Cause
The root cause is improper error handling around runtime power management [CWE-NVD-noinfo]. Specifically, the driver assumes pm_runtime_get_sync() always succeeds and treats its semantics as if usage-count increment were conditional on success. Neither assumption holds, and the absence of a paired pm_runtime_put*() on the early-exit error path completes the leak.
Attack Vector
Exploitation requires local access with permission to open the IIO character device exposed by the mpu3050 driver, typically /dev/iio:deviceN or sysfs buffer enable nodes. An attacker repeatedly triggers buffer enable and disable operations or induces transient runtime resume failures to corrupt PM reference counts. The outcome is high-availability impact through kernel resource exhaustion or device lockout, with no confidentiality or integrity exposure.
The vulnerability is described in prose only; no public proof-of-concept exploit is available. Refer to the upstream commits linked in the Kernel Git Commit 7a3dec5 for the authoritative patch details.
Detection Methods for CVE-2026-43357
Indicators of Compromise
- Kernel log entries from the mpu3050 driver indicating sample-rate configuration failures or repeated buffer enable errors.
- Runtime PM usage counters for the MPU-3050 device that never decrement to zero, observable through /sys/devices/.../power/runtime_usage.
- Unexplained device unavailability or stalled I/O against /dev/iio:deviceN nodes bound to the MPU-3050.
Detection Strategies
- Inventory kernel versions across Linux endpoints and flag hosts running unpatched stable branches identified in the NVD CPE list.
- Monitor dmesg for mpu3050 driver errors paired with PM resume failures.
- Audit IIO subsystem usage on systems that expose gyroscope hardware, including embedded and mobile-class Linux devices.
Monitoring Recommendations
- Collect kernel ring-buffer telemetry and forward it to a centralized analytics pipeline for correlation with package versions.
- Track runtime PM statistics on devices using the MPU-3050 to detect reference-count drift over time.
- Alert on repeated user-space failures opening or enabling IIO buffers tied to the affected driver.
How to Mitigate CVE-2026-43357
Immediate Actions Required
- Apply the upstream stable kernel patches referenced below to all affected Linux systems.
- Restrict access to IIO device nodes so that only trusted user-space services can open /dev/iio:device* paths.
- Where the MPU-3050 driver is not required, unload the mpu3050 module or disable it in the kernel configuration.
Patch Information
The issue is fixed by replacing pm_runtime_get_sync() with pm_runtime_resume_and_get() and adding pm_runtime_put_autosuspend() in the preenable error path. Patches are available in the following upstream commits: Kernel Git Commit 2a86a39, Kernel Git Commit 35f54e7, Kernel Git Commit 42685cf, Kernel Git Commit 66c0d1d, Kernel Git Commit 7a3dec5, Kernel Git Commit 8544c48, Kernel Git Commit 935f57d, and Kernel Git Commit acc3949a.
Workarounds
- Blacklist the mpu3050 kernel module on systems that do not require gyroscope telemetry.
- Apply strict file-system permissions and udev rules to limit access to IIO device nodes to specific service accounts.
- Reduce the frequency of buffer enable and disable cycles in user-space applications until patched kernels are deployed.
# Blacklist the affected driver until kernel patches are applied
echo "blacklist mpu3050" | sudo tee /etc/modprobe.d/blacklist-mpu3050.conf
sudo modprobe -r mpu3050 || true
# Restrict access to IIO device nodes via udev
cat <<'EOF' | sudo tee /etc/udev/rules.d/90-iio-restrict.rules
KERNEL=="iio:device*", MODE="0600", OWNER="root", GROUP="root"
EOF
sudo udevadm control --reload && sudo udevadm trigger
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
