CVE-2026-43156

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: usb: pegasus: enable basic endpoint checking

pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors:

  • usb_rcvbulkpipe(dev, 1) for RX data
  • usb_sndbulkpipe(dev, 2) for TX data
  • usb_rcvintpipe(dev, 3) for status interrupts

A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes.

Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion.

Similar fix to

  • commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")
  • commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking")

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a3e64e950a3981a8199de9798f6d21261b959171affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 229dc9b9db475ac900182bafe258943e0e054c6daffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 26b3ec62fa1a94ac801feca47f040fc729b3c174affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 35854ed5c40b02f95824e44398f9d2ba33727203affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 67ba6b13dbcaf45681fb6758794c5ac5fa589a6caffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d2e7c898cc02dfe42443489a67a45ed616cb76e9affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2705709f6574a088aab246af72fc95f2fea51484affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3d7e6ce34f4fcc7083510c28b17a7c36462a25d4affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.10.252 <= 5.10.*unaffected
LinuxLinux5.15.202 <= 5.15.*unaffected
LinuxLinux6.1.165 <= 6.1.*unaffected
LinuxLinux6.6.128 <= 6.6.*unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.16 <= 6.18.*unaffected
LinuxLinux6.19.6 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References