CVE-2026-23312 Overview
A vulnerability has been discovered in the Linux kernel's kaweth network USB driver that fails to properly validate USB endpoints before binding to devices. The driver does not verify that the device being probed has the expected number and types of USB endpoints, which can lead to system crashes when the driver attempts to access non-existent USB request blocks (URBs).
Critical Impact
A malicious or malformed USB device can cause kernel crashes and system instability by exploiting the lack of endpoint validation in the kaweth driver.
Affected Products
- Linux kernel (kaweth USB network driver)
- Systems using USB-to-Ethernet adapters based on KLSI KL5KUSB101 chipsets
- Multiple Linux kernel stable branches
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23312 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23312
Vulnerability Analysis
The vulnerability exists in the kaweth driver, which is used for USB-to-Ethernet network adapters based on the KLSI KL5KUSB101 chipset. When the driver probes a USB device during connection, it assumes the device has the correct USB endpoint configuration without performing validation checks.
The driver blindly accesses USB endpoints that it expects to be present, but a malicious or improperly configured USB device may not provide the expected endpoints. When the driver attempts to use these non-existent endpoints, it results in accessing invalid memory regions or null pointers, leading to a kernel crash.
This type of vulnerability falls under the category of improper input validation for USB device descriptors. The kernel's USB subsystem provides mechanisms for drivers to validate endpoint configurations, but the kaweth driver was not utilizing these safeguards before this fix.
Root Cause
The root cause is missing input validation in the kaweth driver's probe function. The driver does not check whether the USB device descriptor contains the expected bulk IN and bulk OUT endpoints before attempting to use them. This violates secure coding practices for USB driver development, where drivers should never trust device-provided descriptors without verification.
Attack Vector
The attack requires physical access to connect a malicious USB device to the target system. An attacker could craft a USB device that enumerates with the kaweth driver's vendor/product IDs but provides an incomplete or malformed endpoint configuration. When the system attempts to load the kaweth driver for this device, the driver's subsequent operations on missing endpoints will trigger a kernel crash.
The exploitation path involves:
- Creating a USB device that matches kaweth's device identification criteria
- Omitting expected USB endpoints from the device descriptor
- Connecting the device to a vulnerable Linux system
- The kaweth driver binds to the device and crashes when accessing missing endpoints
Detection Methods for CVE-2026-23312
Indicators of Compromise
- Kernel panic or oops messages referencing the kaweth module
- Unexpected system crashes occurring immediately after USB device connection events
- Kernel log entries showing null pointer dereferences in kaweth driver functions
- USB device connection events for unknown or suspicious USB-Ethernet adapters
Detection Strategies
- Monitor kernel logs (dmesg, journalctl -k) for kaweth-related crash signatures or warnings
- Implement USB device whitelisting to restrict unauthorized device connections
- Use tools like usbguard to monitor and control USB device authorization
- Deploy endpoint detection solutions that can identify malicious USB device behaviors
Monitoring Recommendations
- Enable kernel crash dump collection to capture evidence when system crashes occur
- Configure monitoring for USB device attach/detach events in system logs
- Review connected USB devices periodically using lsusb and compare against known-good baselines
- Implement alerting for kernel oops or panic events involving network or USB subsystems
How to Mitigate CVE-2026-23312
Immediate Actions Required
- Apply the kernel patches from the stable kernel branches as soon as possible
- Consider disabling the kaweth driver module if not required using modprobe.blacklist=kaweth
- Implement physical USB port access controls to prevent unauthorized device connections
- Deploy USB device authorization policies to restrict device binding
Patch Information
Multiple patches have been released across Linux kernel stable branches to address this vulnerability. The fix adds proper USB endpoint validation to the kaweth driver's probe function, ensuring the device has the expected endpoints before the driver binds to it.
Relevant kernel commits:
- Linux Kernel Commit Update 1
- Linux Kernel Commit Update 2
- Linux Kernel Commit Update 3
- Linux Kernel Commit Update 4
- Linux Kernel Commit Update 5
- Linux Kernel Commit Update 6
Workarounds
- Blacklist the kaweth kernel module if USB-Ethernet functionality is not needed
- Restrict physical access to USB ports on sensitive systems
- Use USB port blockers or disable unused USB ports in BIOS/UEFI settings
- Deploy usbguard or similar tools to create USB device whitelists
# Blacklist kaweth module to prevent loading
echo "blacklist kaweth" | sudo tee /etc/modprobe.d/blacklist-kaweth.conf
# Unload module if currently loaded
sudo modprobe -r kaweth
# Verify module is not loaded
lsmod | grep kaweth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
