CVE-2025-68217
Description
In the Linux kernel, the following vulnerability has been resolved:
Input: pegasus-notetaker - fix potential out-of-bounds access
In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer.
Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malicious USB device can trigger an out-of-bounds memory access in the Linux kernel's Pegasus Notetaker driver due to insufficient buffer size validation.
Vulnerability
Description
In the Linux kernel's pegasus_notetaker input driver, the pegasus_probe() function allocates a URB transfer buffer based on the wMaxPacketSize value from the USB endpoint descriptor. An attacker with physical access can plug in a malicious USB device that advertises a very small wMaxPacketSize, causing the kernel to allocate an undersized buffer. Subsequently, when the device sends an interrupt packet where the first byte is 0x80 or 0x42, the pegasus_parse_packet() function parses the packet without verifying that the received data fits within the allocated buffer, leading to an out-of-bounds read or write [1][2][3].
Exploitation
The attack requires an attacker to have physical access to the target system and the ability to connect a malicious USB device. specially crafted USB device. No authentication is needed beyond the ability to insert a USB device. The vulnerability is triggered during normal USB interrupt handling, meaning the attacker does not need to interact with the system beyond plugging in the malicious device.
Impact
A successful out-of-bounds access can corrupt kernel memory, potentially sensitive kernel memory, leading to a system crash (denial of service) or, in more severe cases, arbitrary code execution with kernel privileges. This could allow an attacker to fully compromise the affected system.
Mitigation
The vulnerability has been patched in the Linux kernel stable releases. The fix adds proper bounds checking in pegasus_parse_packet() to ensure the received packet does not exceed the allocated buffer size. Users should apply the relevant stable kernel updates to mitigate this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/015b719962696b793997e8deefac019f816aca77nvd
- git.kernel.org/stable/c/084264e10e2ae8938a54355123ad977eb9df56d6nvd
- git.kernel.org/stable/c/36bc92b838ff72f62f2c17751a9013b29ead2513nvd
- git.kernel.org/stable/c/69aeb507312306f73495598a055293fa749d454envd
- git.kernel.org/stable/c/763c3f4d2394a697d14af1335d3bb42f05c9409fnvd
- git.kernel.org/stable/c/9ab67eff6d654e34ba6da07c64761aa87c2a3c26nvd
- git.kernel.org/stable/c/c4e746651bd74c38f581e1cf31651119a94de8cdnvd
- git.kernel.org/stable/c/d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479nvd
News mentions
0No linked articles in our index yet.