CVE-2026-31763
Description
In the Linux kernel, the following vulnerability has been resolved:
iio: gyro: mpu3050: Fix incorrect free_irq() variable
The handler for the IRQ part of this driver is mpu3050->trig but, in the teardown free_irq() is called with handler mpu3050.
Use correct IRQ handler when calling free_irq().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's mpu3050 gyroscope driver, free_irq() incorrectly uses the device pointer instead of the trigger handler, leading to potential use-after-free.
Vulnerability
Description
In the Linux kernel's IIO gyroscope driver for the MPU3050, a bug exists in the IRQ teardown path. The driver registers mpu3050->trig as the interrupt handler, but when calling free_irq(), it incorrectly passes the device structure mpu3050 instead of the trigger handler. This mismatch can lead to improper cleanup, potentially causing a use-after-free or other memory corruption issues [1][2][3][4].
Exploitation
Conditions
The vulnerability is triggered during driver removal or error handling that invokes the teardown sequence. An attacker would need local access to the system and the ability to interact with the IIO subsystem, such as unloading the kernel module or inducing an error that forces cleanup. No special privileges are required beyond local user access, making it a local attack vector.
Impact
If exploited, the incorrect free_irq() call could result in a kernel crash (denial of service) or, in more severe cases, memory corruption that might be leveraged for privilege escalation. The CVSS v3 score of 5.5 (Medium) reflects the limited attack surface and the need for local access.
Mitigation
The fix corrects the free_irq() call to use the proper handler pointer (mpu3050->trig). Patches have been applied to multiple stable kernel branches [1][2][3][4]. Users should update their kernel to a version containing the fix to eliminate the vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.10,<5.10.253
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/11f7cd960f05b3f06747abfdc4e56dd0d8b8a157nvdPatch
- git.kernel.org/stable/c/2821f7b62c5b3633c4923c7e4f742380897cd511nvdPatch
- git.kernel.org/stable/c/8001b42fbd5e510dced3a25665019982c99bc708nvdPatch
- git.kernel.org/stable/c/8631e755fc07b651b5d158cc3656ef76cc874068nvdPatch
- git.kernel.org/stable/c/a09171d3f23e13bccd3dc34863186707c6301071nvdPatch
- git.kernel.org/stable/c/ac1233397f4cfe55d71f6aa459b42c256c951531nvdPatch
- git.kernel.org/stable/c/edb11a1aef4011a4b7b22cc3c3396c6fe371f4a6nvdPatch
- git.kernel.org/stable/c/fdbe4b5268cd41f9953d25a67d139e47cac34519nvdPatch
News mentions
0No linked articles in our index yet.