CVE-2026-43156 - Vulnerability Details

- net: usb: pegasus: enable basic endpoint checking

Description

In the Linux kernel, the following vulnerability has been resolved:

net: usb: pegasus: enable basic endpoint checking

pegasus_probe() fills URBs with hardcoded endpoint pipes without
verifying the endpoint descriptors:

- usb_rcvbulkpipe(dev, 1) for RX data
- usb_sndbulkpipe(dev, 2) for TX data
- usb_rcvintpipe(dev, 3) for status interrupts

A malformed USB device can present these endpoints with transfer types
that differ from what the driver assumes.

Add a pegasus_usb_ep enum for endpoint numbers, replacing magic
constants throughout. Add usb_check_bulk_endpoints() and
usb_check_int_endpoints() calls before any resource allocation to
verify endpoint types before use, rejecting devices with mismatched
descriptors at probe time, and avoid triggering assertion.

Similar fix to
- commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")
- commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel the Pegasus USB driver constructs URBs using hard‑coded endpoint numbers without validating the endpoint descriptors supplied by the device. A malicious or malformed USB device can advertise an endpoint with a transfer type that does not match the driver’s expectation, potentially causing an assertion failure or kernel crash when the URB is processed. This leads to a denial of service on the host system.

Affected Systems

The vulnerability affects all Linux kernel releases that include the Pegasus USB driver, as well as other similar drivers that performed the same unchecked endpoint assignment. The patch is present in the upstream 6.x series; any kernel version prior to the merge of the relevant commits is vulnerable.

Risk and Exploitability

The absence of EPSS data makes quantifying the likelihood difficult, but the flaw can be exercised simply by connecting a crafted USB device to the host. The impact is a kernel crash or instability, and the vulnerability is local in that it requires physical access to the machine. While it is not listed in CISA’s KEV catalog, an affected system could be exposed to DoS attacks in environments where USB polling is common. Administrators should treat this as a moderate‑to‑high risk and act promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a3e64e950a3981a8199de9798f6d21261b959171
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 229dc9b9db475ac900182bafe258943e0e054c6d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 26b3ec62fa1a94ac801feca47f040fc729b3c174
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 35854ed5c40b02f95824e44398f9d2ba33727203
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 67ba6b13dbcaf45681fb6758794c5ac5fa589a6c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d2e7c898cc02dfe42443489a67a45ed616cb76e9
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2705709f6574a088aab246af72fc95f2fea51484
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 3d7e6ce34f4fcc7083510c28b17a7c36462a25d4

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a3e64e950a3981a8199de9798f6d21261b959171)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,26b3ec62fa1a94ac801feca47f040fc729b3c174)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,35854ed5c40b02f95824e44398f9d2ba33727203)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,67ba6b13dbcaf45681fb6758794c5ac5fa589a6c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d2e7c898cc02dfe42443489a67a45ed616cb76e9)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2705709f6574a088aab246af72fc95f2fea51484)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3d7e6ce34f4fcc7083510c28b17a7c36462a25d4)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	semver	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the Pegasus endpoint‑checking patch or backport the patch from upstream and rebuild the kernel.
If updating is not possible, apply the patch directly to the running kernel source tree, rebuild the driver module, and reload it.
As a temporary workaround, blacklist the pegasus driver using a modprobe.d conf file or restrict USB device insertion with udev rules.

Generated by OpenCVE AI on May 6, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/229dc9b9db475ac900182bafe258943e0e054c6d
https://git.kernel.org/stable/c/26b3ec62fa1a94ac801feca47f040fc729b3c174
https://git.kernel.org/stable/c/2705709f6574a088aab246af72fc95f2fea51484
https://git.kernel.org/stable/c/35854ed5c40b02f95824e44398f9d2ba33727203
https://git.kernel.org/stable/c/3d7e6ce34f4fcc7083510c28b17a7c36462a25d4
https://git.kernel.org/stable/c/67ba6b13dbcaf45681fb6758794c5ac5fa589a6c
https://git.kernel.org/stable/c/a3e64e950a3981a8199de9798f6d21261b959171
https://git.kernel.org/stable/c/d2e7c898cc02dfe42443489a67a45ed616cb76e9

History

Wed, 06 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: enable basic endpoint checking pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_rcvbulkpipe(dev, 1) for RX data - usb_sndbulkpipe(dev, 2) for TX data - usb_rcvintpipe(dev, 3) for status interrupts A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion. Similar fix to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") - commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")
Title		net: usb: pegasus: enable basic endpoint checking
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/229dc9b9db475ac900182bafe258943e0e054c6d https://git.kernel.org/stable/c/26b3ec62fa1a94ac801feca47f040fc729b3c174 https://git.kernel.org/stable/c/2705709f6574a088aab246af72fc95f2fea51484 https://git.kernel.org/stable/c/35854ed5c40b02f95824e44398f9d2ba33727203 https://git.kernel.org/stable/c/3d7e6ce34f4fcc7083510c28b17a7c36462a25d4 https://git.kernel.org/stable/c/67ba6b13dbcaf45681fb6758794c5ac5fa589a6c https://git.kernel.org/stable/c/a3e64e950a3981a8199de9798f6d21261b959171 https://git.kernel.org/stable/c/d2e7c898cc02dfe42443489a67a45ed616cb76e9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:36.491Z

Updated: 2026-05-06T11:27:36.491Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43156

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:33.427

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43156

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object