Description
In the Linux kernel, the following vulnerability has been resolved:

net: usb: kaweth: validate USB endpoints

The kaweth driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The kaweth driver fails to verify the number and type of USB endpoints exposed by a device it binds to. If a malicious USB device presents an unexpected set of endpoints, the driver later accesses non‑existent or wrong endpoints and crashes, causing a kernel panic. This results in a denial of service on the affected system.

Affected Systems

All Linux kernel builds that include the kaweth driver before the fix are affected, including the current stable releases. Any host that can load this driver and connect a USB device is within the risk scope.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% denotes a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires physical or logical access to a machine to plug in a crafted USB device, making it a local attack that needs an attacker to supply the malicious device.

Generated by OpenCVE AI on March 26, 2026 at 14:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the patch validating USB endpoints (e.g., apply the commit referenced in the advisory).
  • If an immediate kernel upgrade is not possible, disable the kaweth driver by unloading it with modprobe -r kaweth or removing it from the kernel configuration.
  • Continuously monitor system logs for USB‑related panics and consider temporarily disabling USB peripherals until the official patch is installed.

Generated by OpenCVE AI on March 26, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-476

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1288
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.
Title net: usb: kaweth: validate USB endpoints
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:54.585Z

Reserved: 2026-01-13T15:37:45.994Z

Link: CVE-2026-23312

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:27.463

Modified: 2026-04-18T09:16:18.510

Link: CVE-2026-23312

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23312 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:56Z

Weaknesses