CVE-2026-23365 Overview
A vulnerability has been discovered in the Linux kernel's kalmia USB network driver due to missing validation of USB endpoints during device probing. The kalmia driver fails to verify that a USB device has the proper number and types of USB endpoints before binding to it. If a malicious USB device presents without the expected URBs (USB Request Blocks), the driver will crash when it blindly attempts to access these non-existent endpoints.
Critical Impact
A malicious USB device can cause a kernel crash, leading to denial of service. Physical access attackers could exploit this to destabilize affected Linux systems.
Affected Products
- Linux kernel (multiple stable versions affected)
- Systems using the kalmia USB network driver (net/usb/kalmia.c)
- Devices utilizing Kalmia-based USB modems
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23365 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23365
Vulnerability Analysis
The vulnerability resides in the kalmia driver located in net/usb/kalmia.c, which handles Kalmia-based USB networking devices (typically mobile broadband modems). The driver's probe function fails to perform proper validation of USB endpoints before attempting to use them.
When a USB device is connected, the kernel's USB subsystem calls the driver's probe function to determine if the driver should handle the device. The kalmia driver accepts devices based on their USB vendor/product IDs but does not verify the actual endpoint configuration. This creates a security gap where a malicious device can masquerade as a Kalmia-compatible device but provide an unexpected or incomplete endpoint configuration.
Root Cause
The root cause is improper input validation in the USB endpoint handling code. The kalmia driver assumes that any device matching its USB ID criteria will have the correct endpoint structure, including the expected bulk IN and OUT endpoints for data transfer. This assumption violates secure coding practices that require explicit validation of external input, including hardware device configurations.
The driver directly accesses endpoint descriptors without first checking:
- Whether the expected number of endpoints exist
- Whether the endpoint types (bulk, interrupt, etc.) are correct
- Whether the endpoint directions (IN/OUT) match expectations
Attack Vector
An attacker with physical access to the target system could craft a malicious USB device that enumerates with Kalmia-compatible vendor and product IDs but lacks the proper endpoint configuration. When the kalmia driver binds to this device, it will attempt to access endpoints that do not exist, resulting in a NULL pointer dereference or similar crash condition.
The attack scenario involves:
- Attacker creates a custom USB device (using microcontroller-based USB device or USB gadget framework)
- Device is configured to report USB IDs that match the kalmia driver's supported device list
- Device provides malformed or missing endpoint descriptors
- When connected, the kernel loads the kalmia driver, which crashes on endpoint access
This represents a physical attack vector that could be used for denial of service against Linux workstations, servers, or embedded systems that have USB ports accessible to potential attackers.
Detection Methods for CVE-2026-23365
Indicators of Compromise
- Unexpected kernel panics or oops messages referencing kalmia driver functions
- System instability after connecting unknown USB devices
- Kernel log entries showing USB device probing failures in the net/usb/kalmia subsystem
- Repeated USB disconnect/reconnect events from suspicious devices
Detection Strategies
- Monitor kernel logs (dmesg) for crash traces involving kalmia.ko or related USB subsystem functions
- Implement USB device allow-listing to detect unauthorized device connections
- Deploy endpoint detection solutions that monitor for USB-triggered kernel instability
- Review system logs for patterns of USB device enumeration followed by system crashes
Monitoring Recommendations
- Enable kernel crash dump collection to capture technical details of any exploitation attempts
- Configure usbguard or similar USB device management tools to alert on new device connections
- Monitor for USB devices claiming to be Kalmia modems on systems where such hardware is not expected
- Implement physical security controls to restrict USB port access on critical systems
How to Mitigate CVE-2026-23365
Immediate Actions Required
- Update the Linux kernel to a patched version that includes USB endpoint validation
- On systems where USB port access cannot be restricted, consider blacklisting the kalmia module if not required
- Implement physical security measures to prevent unauthorized USB device connections
- Deploy USB device authorization policies using tools like usbguard
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches to address this vulnerability. The fix adds proper validation of USB endpoints in the kalmia driver's probe function, ensuring the device has the expected endpoint configuration before the driver binds to it.
Patches are available from the following kernel git commits:
- Kernel Git Commit 011684cd
- Kernel Git Commit 12c0243d
- Kernel Git Commit 28a380bf
- Kernel Git Commit 51c20ea5
- Kernel Git Commit 7bfda1a0
- Kernel Git Commit c58b6c29
Workarounds
- Blacklist the kalmia kernel module if Kalmia-based USB devices are not required on the system
- Disable USB ports physically or via BIOS/UEFI settings on systems where they are not needed
- Use usbguard to enforce a strict USB device authorization policy
- Implement mandatory access control (SELinux, AppArmor) policies to restrict USB driver loading
# Blacklist the kalmia module to prevent loading
echo "blacklist kalmia" | sudo tee /etc/modprobe.d/blacklist-kalmia.conf
sudo update-initramfs -u
# Verify the module is blacklisted
modprobe -n -v kalmia
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
