CVE-2026-23021 Overview
A memory leak vulnerability has been identified in the Linux kernel's Pegasus USB network driver, specifically in the update_eth_regs_async() function. When asynchronously writing to device registers, if usb_submit_urb() fails, the code fails to release resources that were allocated up to that point. This can lead to kernel memory exhaustion over time, particularly on systems where the affected USB network devices experience repeated connection issues.
Critical Impact
Systems using Pegasus USB-to-Ethernet adapters may experience gradual memory exhaustion due to unreleased resources when USB request block submissions fail, potentially leading to system instability or denial of service.
Affected Products
- Linux kernel (net/usb/pegasus driver)
- Systems utilizing ADMtek Pegasus or Pegasus II USB-to-Ethernet adapters
- Multiple kernel versions prior to the security patches
Discovery Timeline
- 2026-01-31 - CVE CVE-2026-23021 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-23021
Vulnerability Analysis
The vulnerability exists within the Pegasus USB network driver's asynchronous register update mechanism. The update_eth_regs_async() function allocates memory resources including URB (USB Request Block) structures and associated buffers for communicating with the USB device. When the function calls usb_submit_urb() to submit the request to the USB subsystem, a failure condition can occur due to various reasons such as device disconnection, resource constraints, or USB bus errors.
The flaw manifests because the error handling path in update_eth_regs_async() does not properly deallocate the memory that was allocated prior to the failed submission. This includes the URB structure itself and any control transfer buffers that were prepared for the asynchronous operation.
Root Cause
The root cause is improper resource cleanup in the error handling path of the update_eth_regs_async() function. When usb_submit_urb() returns an error, the function exits without calling the appropriate cleanup routines (usb_free_urb() and kfree()) to release the allocated URB and associated memory buffers. This constitutes a classic memory leak pattern where allocated resources are orphaned when an operation fails partway through execution.
Attack Vector
The attack vector for this vulnerability is local and requires the ability to trigger repeated failures of USB request submissions. An attacker with local access could potentially exploit this by:
- Repeatedly connecting and disconnecting a Pegasus USB network adapter
- Inducing USB bus errors that cause usb_submit_urb() to fail
- Creating conditions that exhaust USB subsystem resources, forcing submission failures
Each failed submission leaks a small amount of kernel memory. Over time, with sustained triggering of the vulnerability, this can lead to significant memory consumption and potential denial of service conditions on the affected system.
The vulnerability is exploited through physical device manipulation or by creating USB subsystem stress conditions that cause the asynchronous register update operations to fail during the submission phase.
Detection Methods for CVE-2026-23021
Indicators of Compromise
- Gradual increase in kernel memory usage (slab allocations) on systems with Pegasus USB network adapters
- Increasing count of URB-related memory objects in /proc/slabinfo
- System logs showing repeated usb_submit_urb failures from the pegasus driver
- Memory pressure warnings or OOM (Out of Memory) conditions on long-running systems
Detection Strategies
- Monitor kernel memory allocations using tools like slabtop or /proc/meminfo for unusual growth patterns
- Implement kernel tracing on USB subsystem calls to detect repeated URB submission failures
- Review dmesg output for Pegasus driver error messages indicating USB communication issues
- Use eBPF/BPF tracing to monitor the update_eth_regs_async() function for error returns
Monitoring Recommendations
- Configure system monitoring to alert on sustained kernel memory growth
- Set up log aggregation to capture and analyze Pegasus driver error messages
- Implement automated kernel memory usage thresholds for systems using affected USB network devices
- Deploy SentinelOne agents to monitor for anomalous system resource consumption patterns
How to Mitigate CVE-2026-23021
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel stable branches
- If patching is not immediately possible, consider temporarily disabling or removing Pegasus USB network adapters from critical systems
- Monitor affected systems for memory exhaustion symptoms
- Plan maintenance windows for kernel updates on production systems
Patch Information
The Linux kernel development team has released patches to address this memory leak vulnerability. Multiple commits have been made to various kernel stable branches to ensure comprehensive coverage:
- Kernel Commit 471dfb97599e
- Kernel Commit 5397ea6d21c3
- Kernel Commit 93f18eaa1903
- Kernel Commit a40af9a2904a
- Kernel Commit ac5d92d2826d
- Kernel Commit afa27621a28a
- Kernel Commit ce6eef731aba
Organizations should update to kernel versions containing these patches through their distribution's package management system.
Workarounds
- Blacklist the pegasus kernel module if the USB network adapter is not required: add blacklist pegasus to /etc/modprobe.d/blacklist.conf
- Use alternative USB network adapters that utilize different kernel drivers
- Implement resource monitoring and automatic system restarts if memory thresholds are exceeded
- Physically remove Pegasus USB network adapters from affected systems until patches can be applied
# Configuration example
# Blacklist the pegasus module to prevent loading
echo "blacklist pegasus" | sudo tee /etc/modprobe.d/pegasus-blacklist.conf
# Unload the module if currently loaded
sudo modprobe -r pegasus
# Verify the module is not loaded
lsmod | grep pegasus
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
