CVE-2026-23290
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
The pegasus USB driver in the Linux kernel lacks validation of USB endpoints. A malicious USB device can crash the driver by not providing the expected endpoints.
Risk Assessment
An attacker can plug a crafted USB device causing a kernel panic or potentially arbitrary code execution in kernel context.
Recommendation
Apply the security patch from your Linux kernel distributor for the version affected by CVE-2026-23290. If unavailable, temporarily blacklist the pegasus module or restrict physical USB port access.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.

