CVE-2026-43156
Description
In the Linux kernel, the following vulnerability has been resolved:
net: usb: pegasus: enable basic endpoint checking
pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors:
- usb_rcvbulkpipe(dev, 1) for RX data
- usb_sndbulkpipe(dev, 2) for TX data
- usb_rcvintpipe(dev, 3) for status interrupts
A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes.
Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion.
Similar fix to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") - commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's pegasus USB Ethernet driver, missing endpoint descriptor validation allows a malformed device to trigger undefined behavior; fixed by adding type checks before probe.
Vulnerability
Details
The pegasus driver in the Linux kernel hardcoded endpoint pipes for RX, TX, and status interrupts—using endpoints 1, 2, and 3 respectively—without verifying the corresponding endpoint descriptors. A malformed USB device could present these endpoints with transfer types that differ from what the driver expects, leading to potential misuse of USB pipes [1][2][3][4].
Exploitation
To exploit this, an attacker needs to be able to connect a malicious USB device to the target system. No authentication is required; the vulnerability is triggered during device enumeration when the driver's probe function (pegasus_probe()) attempts to fill URBs using the hardcoded endpoint numbers. The bug is reachable by any user with physical or locally accessible USB ports.
Impact
Successful exploitation can cause the kernel to trigger an assertion failure or enter an undefined state due to mismatched endpoint transfer types. While the CVSS score is 5.5 (medium), the consequence is a denial of service or potential system instability.
Mitigation
The fix introduces usb_check_bulk_endpoints() and usb_check_int_endpoints() calls in the probe path and replaces magic constants with a pegasus_usb_ep enum. The patches are available in stable kernel updates [1][2][3][4], and users are advised to apply the latest stable kernel or backport the commits.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.12.1,<5.10.252
- cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/229dc9b9db475ac900182bafe258943e0e054c6dnvdPatch
- git.kernel.org/stable/c/26b3ec62fa1a94ac801feca47f040fc729b3c174nvdPatch
- git.kernel.org/stable/c/2705709f6574a088aab246af72fc95f2fea51484nvdPatch
- git.kernel.org/stable/c/35854ed5c40b02f95824e44398f9d2ba33727203nvdPatch
- git.kernel.org/stable/c/3d7e6ce34f4fcc7083510c28b17a7c36462a25d4nvdPatch
- git.kernel.org/stable/c/67ba6b13dbcaf45681fb6758794c5ac5fa589a6cnvdPatch
- git.kernel.org/stable/c/a3e64e950a3981a8199de9798f6d21261b959171nvdPatch
- git.kernel.org/stable/c/d2e7c898cc02dfe42443489a67a45ed616cb76e9nvdPatch
News mentions
0No linked articles in our index yet.