Skip to main content

Linux Kernel EUVDEUVD-2026-27715

| CVE-2026-43156 MEDIUM
2026-05-06 Linux GHSA-4pc7-q2m2-j888
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 10:38 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: usb: pegasus: enable basic endpoint checking

pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors:

  • usb_rcvbulkpipe(dev, 1) for RX data
  • usb_sndbulkpipe(dev, 2) for TX data
  • usb_rcvintpipe(dev, 3) for status interrupts

A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes.

Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion.

Similar fix to

  • commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")
  • commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")

AnalysisAI

Denial-of-service in the Linux kernel's pegasus USB-to-Ethernet driver allows a local attacker to crash the kernel by connecting a crafted USB device with mismatched endpoint transfer types. The driver's probe function fills URBs using hardcoded endpoint pipes (bulk RX on ep1, bulk TX on ep2, interrupt on ep3) without first verifying the endpoint descriptors presented by the attached device, leaving it susceptible to assertion failure when types do not match expectations. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% reflects the niche local-access-only attack surface; patches have been released across all major stable kernel branches.

Technical ContextAI

The pegasus driver (net/usb/pegasus.c) is a Linux kernel driver for Pegasus-chipset USB-to-Ethernet adapters. It allocates and fills USB Request Blocks (URBs) during device probe using hardcoded endpoint addresses - usb_rcvbulkpipe(dev, 1) for RX data, usb_sndbulkpipe(dev, 2) for TX data, and usb_rcvintpipe(dev, 3) for status interrupts - without invoking usb_check_bulk_endpoints() or usb_check_int_endpoints() to validate that the device's actual endpoint descriptors match these assumed transfer types. A malicious USB device can enumerate with Pegasus-compatible USB IDs but present endpoints with mismatched types (e.g., isochronous instead of bulk), causing the kernel to hit an internal assertion when the URB is submitted. The fix pattern mirrors identical remediation applied to the rtl8150 driver (commit 90b7f2961798) and catc driver (commit 9e7021d2aeae). CWE is listed as N/A in available data, but the root cause class is improper input validation of USB descriptor data at device probe time. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade to a patched stable kernel release: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0, depending on the active stable branch in use. Upstream fix commits are available at kernel.org (e.g., https://git.kernel.org/stable/c/229dc9b9db475ac900182bafe258943e0e054c6d for one branch; see all eight reference commits for branch-specific patches). For Red Hat and SUSE systems, apply distribution vendor patches as they become available through official channels. As a compensating control where immediate kernel upgrade is not feasible, deploy USB device allowlisting via USBGuard (Linux) to block untrusted USB peripherals from being attached; note this requires pre-enrollment of all legitimate devices and may cause operational disruption if not configured carefully. Disabling the pegasus kernel module (rmmod pegasus; echo 'blacklist pegasus' >> /etc/modprobe.d/blacklist.conf) will prevent the driver from loading entirely but will also break any legitimate Pegasus USB-to-Ethernet adapters in use.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27715 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy