CVE-2026-23290 - Vulnerability Details

- net: usb: pegasus: validate USB endpoints

Description

In the Linux kernel, the following vulnerability has been resolved:

net: usb: pegasus: validate USB endpoints

The pegasus driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Pegasus USB driver in the Linux kernel validates that the device it is probing has the correct number and types of USB endpoints before it binds to it. If a malicious device supplies fewer or different endpoints, the driver will later attempt to access these invalid endpoints and crash the kernel. This results in a denial of service by disrupting system availability, possibly requiring a reboot and causing temporary loss of service for any users relying on the host.

Affected Systems

The vulnerability affects Linux kernels that include the Pegasus USB driver. No specific version range is provided, which implies that all current kernel releases shipping this driver are potentially impacted. This includes mainstream distributions that use the mainline kernel with the Pegasus driver compiled in.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability does not provide remote code execution. Based on the description, the likely attack vector is a physical or authenticated USB connection, requiring an attacker to attach a crafted device to a vulnerable host. Since the vulnerability is not listed in the CISA KEV catalog and exploits would only cause a system crash, the overall risk is limited to service disruption rather than data compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d5d9086211877361f1bda44a0aec538ddb04042a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< af7369ae572f53cb701731a4289ec3b3889bc501
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 43d7c4114b1ec14f41f09306525d3b9382286fc1
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 95556b4e879711693c9865ba0938c148f62d5ea4
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< c3f1672eaea68c5cb6e1ec081cdb92045453218f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 11de1d3ae5565ed22ef1f89d73d8f2d00322c699

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,43d7c4114b1ec14f41f09306525d3b9382286fc1)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,95556b4e879711693c9865ba0938c148f62d5ea4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c3f1672eaea68c5cb6e1ec081cdb92045453218f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,11de1d3ae5565ed22ef1f89d73d8f2d00322c699)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the Pegasus driver endpoint validation fix, addressing the improper validation flaw (CWE‑909).
If immediate kernel upgrade is impossible, blacklist or unload the Pegasus USB driver to prevent the flaw from being triggered.
Implement USB device whitelisting or a USB firewall to restrict connections to trusted devices, reducing the chance of a malicious endpoint injection.
Monitor kernel logs for OOPS or panic messages related to USB activity to detect potential exploitation attempts.

Generated by OpenCVE AI on May 29, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DLA	DLA-4606-1	linux security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/11de1d3ae5565ed22ef1f89d73d8f2d00322c699
https://git.kernel.org/stable/c/43d7c4114b1ec14f41f09306525d3b9382286fc1
https://git.kernel.org/stable/c/7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f
https://git.kernel.org/stable/c/95556b4e879711693c9865ba0938c148f62d5ea4
https://git.kernel.org/stable/c/af7369ae572f53cb701731a4289ec3b3889bc501
https://git.kernel.org/stable/c/c3f1672eaea68c5cb6e1ec081cdb92045453218f
https://git.kernel.org/stable/c/d5d9086211877361f1bda44a0aec538ddb04042a
https://git.kernel.org/stable/c/ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2
https://lore.kernel.org/linux-cve-announce/2026032525-CVE-2026-23290-af97@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23290
https://www.cve.org/CVERecord?id=CVE-2026-23290

History

Fri, 29 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:2.6.12:-:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/af7369ae572f53cb701731a4289ec3b3889bc501 https://git.kernel.org/stable/c/d5d9086211877361f1bda44a0aec538ddb04042a

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-909
References		https://lore.kernel.org/linux-cve-announce/2026032525-CVE-2026-23290-af97@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23290 https://www.cve.org/CVERecord?id=CVE-2026-23290
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.
Title		net: usb: pegasus: validate USB endpoints
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/11de1d3ae5565ed22ef1f89d73d8f2d00322c699 https://git.kernel.org/stable/c/43d7c4114b1ec14f41f09306525d3b9382286fc1 https://git.kernel.org/stable/c/7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f https://git.kernel.org/stable/c/95556b4e879711693c9865ba0938c148f62d5ea4 https://git.kernel.org/stable/c/c3f1672eaea68c5cb6e1ec081cdb92045453218f https://git.kernel.org/stable/c/ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:48.886Z

Updated: 2026-05-11T22:04:00.817Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23290

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-25T11:16:24.043

Modified: 2026-05-29T15:10:41.520

Link: CVE-2026-23290

Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23290 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T16:45:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object