Description
In the Linux kernel, the following vulnerability has been resolved:

net: usb: pegasus: enable basic endpoint checking

pegasus_probe() fills URBs with hardcoded endpoint pipes without
verifying the endpoint descriptors:

- usb_rcvbulkpipe(dev, 1) for RX data
- usb_sndbulkpipe(dev, 2) for TX data
- usb_rcvintpipe(dev, 3) for status interrupts

A malformed USB device can present these endpoints with transfer types
that differ from what the driver assumes.

Add a pegasus_usb_ep enum for endpoint numbers, replacing magic
constants throughout. Add usb_check_bulk_endpoints() and
usb_check_int_endpoints() calls before any resource allocation to
verify endpoint types before use, rejecting devices with mismatched
descriptors at probe time, and avoid triggering assertion.

Similar fix to
- commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")
- commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel Pegasus USB driver, URBs are constructed using hard‑coded endpoint numbers without validating the device’s endpoint descriptors. This omission allows a malformed USB device to supply endpoints with transfer types that differ from what the driver expects, leading to an assertion failure or kernel crash when the URB is processed. The result is a host‑wide denial of service. The weakness is a form of unchecked input error, identified as CWE‑1287.

Affected Systems

The issue exists in all Linux kernels that include the Pegasus USB driver prior to the addition of explicit endpoint checking. Any kernel build with the unpatched Pegasus driver is vulnerable, regardless of version or patch level. Administrators should check whether the Pegasus module is loaded on their systems, particularly on older or custom kernel releases that may lack the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of <1% shows a very low yet non‑zero likelihood of exploitation. The most plausible attack vector is a physical connection of a crafted USB device that triggers the driver’s probe routine, potentially causing a system crash. Exploitation requires local physical access to mount the USB device. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on May 13, 2026 at 23:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel version that incorporates the Pegasus endpoint‑checking patch, or manually apply the upstream patch from the kernel source and rebuild the kernel.
  • If an immediate system update is not possible, compile and install the patched module into the current kernel, then reload the pegasus driver.
  • As an interim measure, prevent the pegasus module from loading by creating a modprobe.d blacklist file containing blacklist=pegasus, or restrict USB device insertion through udev rules to avoid triggering the vulnerable driver.

Generated by OpenCVE AI on May 13, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: enable basic endpoint checking pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_rcvbulkpipe(dev, 1) for RX data - usb_sndbulkpipe(dev, 2) for TX data - usb_rcvintpipe(dev, 3) for status interrupts A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion. Similar fix to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") - commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")
Title net: usb: pegasus: enable basic endpoint checking
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:18:50.696Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43156

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:33.427

Modified: 2026-05-13T21:09:16.583

Link: CVE-2026-43156

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43156 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:15:08Z

Weaknesses