CVE-2025-39719
Description
In the Linux kernel, the following vulnerability has been resolved:
iio: imu: bno055: fix OOB access of hw_xlate array
Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c.
In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array is larger than the hw_xlate array, so this could result in an out-of-bounds access. In practice, this shouldn't happen though because a match should always be found which breaks out of the for loop before it iterates beyond the end of the hw_xlate array.
By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be sure we are iterating over the correct length.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's BNO055 driver, an out-of-bounds array access in bno055_getregmask() could occur when iterating over the hw_xlate array using the wrong length.
Vulnerability
Overview
CVE-2025-39719 is a high-severity vulnerability in the Linux kernel's IIO subsystem, specifically in the BNO055 IMU driver. The bug resides in the bno055_getregmask() function, where the hw_xlate array is iterated using the length of the vals array instead of the length of hw_xlate itself. This mismatch can lead to an out-of-bounds (OOB) memory access when the vals array is larger than hw_xlate, as is the case with bno055_gyr_scale [1].
Exploitation
Conditions
Exploitation requires the kernel to be built-in IIO driver to be loaded and the device to be accessible. The vulnerability is triggered during normal operation when the driver attempts to translate a scale value via the hw_xlate table. In practice, a match is usually found before the loop exceeds the array bounds, but an attacker who can influence the scale value or the device's state could potentially force the loop to continue past the end of hw_xlate, causing an OOB read or write [1].
Impact
An out-of-bounds access in kernel memory can lead to information disclosure (reading sensitive data) or a system crash (denial of service). The CVSS v3 score of 7.1 indicates a moderate impact, but the vulnerability could be leveraged for privilege escalation if combined with other weaknesses. The fix introduces a new hw_xlate_len field to ensure the correct array size explicitly, preventing the OOB condition [1].
Mitigation
The Linux kernel stable tree has released patches that correct the iteration length. Users should update to a kernel version containing the commit that adds the hw_xlate_len field [2][3][4]. Siemens has also listed this CVE as affecting SIMATIC CN 4100 devices before V5.0, recommending an update to the latest firmware [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/399b883ec828e436f1a721bf8551b4da8727e65bnvdPatch
- git.kernel.org/stable/c/4808ca3aa30ae857454d0b41d2d0bf161a312b45nvdPatch
- git.kernel.org/stable/c/50e823a23816b792daf6e8405f8d6045952bb90envdPatch
- git.kernel.org/stable/c/5c2b601922c064f7be70ae8621277f18d1ffec59nvdPatch
- git.kernel.org/stable/c/a0691ab6334f1769acc64ea9e319414a682ff45dnvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories