CVE-2026-43156
Awaiting Analysis Awaiting Analysis - Queue
USB Endpoint Validation Flaw in Linux Kernel Pegasus Driver

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: enable basic endpoint checking pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_rcvbulkpipe(dev, 1) for RX data - usb_sndbulkpipe(dev, 2) for TX data - usb_rcvintpipe(dev, 3) for status interrupts A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion. Similar fix to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") - commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43156
EUVD
EUVD-2026-27715
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is resolved by enabling basic endpoint checking in the pegasus USB driver within the Linux kernel.

To mitigate this vulnerability, update your Linux kernel to a version that includes the fix which adds verification of USB endpoint descriptors before resource allocation, rejecting devices with mismatched descriptors at probe time.

Executive Summary

This vulnerability exists in the Linux kernel's USB driver for Pegasus devices. The pegasus_probe() function fills USB Request Blocks (URBs) with hardcoded endpoint pipes without verifying the actual endpoint descriptors presented by the USB device.

Specifically, it assumes certain endpoints for receiving data, transmitting data, and status interrupts without checking if the device's endpoints match these assumptions. A malformed USB device can present endpoints with transfer types different from what the driver expects, potentially causing issues.

The fix involved adding an enumeration for endpoint numbers and adding checks to verify endpoint types before allocating resources, rejecting devices with mismatched descriptors during the probe phase to avoid triggering assertions.

Impact Analysis

If exploited, this vulnerability could cause the Linux kernel's USB driver to misinterpret endpoint types from a USB device, potentially leading to incorrect handling of USB data transfers.

This could result in system instability, crashes, or unexpected behavior when interacting with malformed or malicious USB devices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43156. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart