CVE-2025-71198

The st_lsm6dsx driver for STM IMU sensors defines an iio_chan_spec array (st_lsm6dsx_acc_channels) with a non-NULL event_spec field, indicating support for IIO events. However, event detection is not available on all sensor variants (e.g., LSM6DS0). When userspace attempts to configure accelerometer wakeup events on such a sensor, st_lsm6dsx_write_event() dereferences a NULL pointer while writing to the wakeup register, leading to a kernel crash.

Exploitation requires local access to the IIO device, typically through sysfs or a custom userspace program. The attacker must be able to enable events on an accelerometer channel of a sensor that lacks event support. No special privileges beyond access to the IIO subsystem are needed, as the misconfiguration originates from the driver's incorrect channel specification.

The impact is a denial of service via NULL pointer dereference, causing a system crash (kernel oops). An attacker could repeatedly trigger this to disrupt system availability. There is no evidence of privilege escalation or data leakage.

The vulnerability is fixed in Linux kernel commits [1] and [2], which introduce a separate iio_chan_spec array with NULL event_spec for sensors without event detection, and use it appropriately. Users should update to a kernel containing these fixes. No workaround is provided.