CVE Catalog

CVE-2026-23290

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

The pegasus USB driver in the Linux kernel lacks validation of USB endpoints. A malicious USB device can crash the driver by not providing the expected endpoints.

Risk Assessment

An attacker can plug a crafted USB device causing a kernel panic or potentially arbitrary code execution in kernel context.

Recommendation

Apply the security patch from your Linux kernel distributor for the version affected by CVE-2026-23290. If unavailable, temporarily blacklist the pegasus module or restrict physical USB port access.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS