Skip to main content

Linux EUVDEUVD-2026-15219

| CVE-2026-23290 MEDIUM
2026-03-25 Linux GHSA-gpw9-p95r-3mv6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 29, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15219
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: usb: pegasus: validate USB endpoints

The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.

AnalysisAI

The pegasus USB network driver in the Linux kernel fails to validate that connected USB devices have the proper number and types of endpoints before binding to them, allowing a malicious USB device to trigger a kernel crash through null pointer dereference or out-of-bounds memory access. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches, as evidenced by patches applied to at least six different kernel maintenance branches. An attacker with physical access to a target system or the ability to inject a crafted USB device into the network could crash the kernel without authentication or elevated privileges, though no public exploit code or active exploitation in the wild has been reported.

Technical ContextAI

The pegasus driver (drivers/net/usb/pegasus.c) is a USB network adapter driver in the Linux kernel that manages Pegasus-based USB Ethernet devices. The vulnerability stems from improper input validation when probing USB devices—the driver does not verify that the device provides the expected USB endpoints (interrupt, bulk-in, and bulk-out) before attempting to use them. This is a classic case of missing bounds checking and device capability validation (CWE-252: Unchecked Return Value, and CWE-20: Improper Input Validation). The affected CPE (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) indicates all versions of the Linux kernel are potentially vulnerable until patched. When the driver later blindly accesses these unvalidated endpoints during normal operation (e.g., in interrupt handlers or data transfer routines), a malicious device lacking these endpoints will cause the kernel to dereference null or invalid pointers, triggering a kernel panic.

RemediationAI

Apply the pegasus driver validation patch by upgrading to a patched Linux kernel version corresponding to your distribution and branch. For stable kernel users, pull and rebuild from the latest stable branch (4.19, 5.4, 5.10, 5.15, 6.1, 6.6, or later) that includes the commit referenced above (kernel maintainers recommend using git cherry-pick for the specific commits if in-place patching is not yet available in your distribution). For distribution users (Ubuntu, RHEL, Debian, etc.), check with your vendor's security advisory for patched kernel versions and apply via your standard package management (apt-get, yum, zypper, etc.). Until patching is complete, disable or unload the pegasus driver module (rmmod pegasus) on systems that do not require Pegasus USB Ethernet adapters, and restrict physical USB access by disabling unused USB ports or implementing USB device whitelisting via udev rules. Monitor kernel logs for pegasus-related errors or unexpected crashes. Because this is a physical attack surface, organizations should also enforce endpoint device policies prohibiting untrusted USB devices in sensitive environments.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy