CVE-2026-43156 Overview
CVE-2026-43156 is a Linux kernel vulnerability in the pegasus USB-to-Ethernet driver located at drivers/net/usb/pegasus.c. The driver's pegasus_probe() function fills USB Request Blocks (URBs) with hardcoded endpoint pipes without verifying the corresponding endpoint descriptors. A malformed or malicious USB device can present endpoints whose transfer types differ from what the driver assumes, triggering kernel assertions when the URBs are submitted.
Critical Impact
A crafted USB device attached to a vulnerable Linux host can trigger a kernel assertion failure in the pegasus driver during device probing, leading to denial of service.
Affected Products
- Linux kernel versions containing the pegasus USB Ethernet driver prior to the fix
- Stable kernel branches referenced by commits 229dc9b, 26b3ec6, 2705709, 35854ed, 3d7e6ce, 67ba6b1, a3e64e9, and d2e7c89
- Systems exposing USB ports to untrusted physical access
Discovery Timeline
- 2026-05-06 - CVE-2026-43156 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43156
Vulnerability Analysis
The pegasus_probe() function constructs URBs using fixed endpoint numbers without first validating the device's endpoint descriptors. Specifically, the driver calls usb_rcvbulkpipe(dev, 1) for receive (RX) data, usb_sndbulkpipe(dev, 2) for transmit (TX) data, and usb_rcvintpipe(dev, 3) for status interrupts. These calls assume the corresponding endpoints exist and use the expected transfer types.
When a USB device advertises endpoint numbers 1, 2, or 3 with mismatched transfer types — for example, an interrupt endpoint where the driver expects a bulk endpoint — the URB submission path triggers a kernel assertion. This is a kernel driver input validation flaw that can be exploited by attaching a malicious USB device to a target system.
Root Cause
The root cause is missing input validation on USB endpoint descriptors. The driver trusts hardcoded endpoint numbers and transfer types instead of querying the device's actual descriptor table. The fix introduces a pegasus_usb_ep enum to replace magic constants and adds usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation. Devices presenting mismatched descriptors are now rejected at probe time.
Attack Vector
Exploitation requires the attacker to attach a malformed USB device to the target Linux host or to compromise an already-attached device's firmware. When the kernel enumerates the device and matches it to the pegasus driver, the unverified endpoint usage triggers the assertion. The same class of bug was previously addressed in the rtl8150 driver (commit 90b7f2961798) and catc driver (commit 9e7021d2aeae).
No verified public proof-of-concept code is available. See the Linux Kernel Commit 229dc9b for the patch implementation.
Detection Methods for CVE-2026-43156
Indicators of Compromise
- Kernel log entries referencing pegasus_probe failures or USB endpoint assertion warnings
- Unexpected kernel panics or BUG() traces tied to URB submission shortly after USB device attachment
- Connection of unrecognized USB-to-Ethernet adapters claiming pegasus-compatible vendor and product identifiers
Detection Strategies
- Monitor dmesg and journalctl -k for pegasus driver warnings and URB-related kernel oops messages
- Audit USB device enumeration events using udev logging or auditd rules tracking USB subsystem activity
- Compare loaded kernel versions against the fixed stable releases referenced in the upstream commits
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform and alert on driver-level assertion strings
- Track USB attach and detach events on servers and workstations that should not normally accept removable peripherals
- Maintain an inventory of kernel versions across the fleet to identify unpatched hosts
How to Mitigate CVE-2026-43156
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced by commits 229dc9b9db47, 26b3ec62fa1a, 2705709f6574, 35854ed5c40b, 3d7e6ce34f4f, 67ba6b13dbca, a3e64e950a39, and d2e7c898cc02
- Update to a stable kernel release that incorporates the endpoint validation fix
- Restrict physical access to USB ports on systems that handle sensitive workloads
Patch Information
The fix adds usb_check_bulk_endpoints() and usb_check_int_endpoints() calls to pegasus_probe() before any resource allocation, ensuring devices with mismatched descriptors are rejected at probe time. Distribution maintainers have backported the change across multiple stable branches. Refer to the Linux Kernel Commit a3e64e9 and the Linux Kernel Commit d2e7c89 for the canonical implementations.
Workarounds
- Blacklist the pegasus kernel module on systems that do not require legacy USB-to-Ethernet adapters by adding blacklist pegasus to /etc/modprobe.d/
- Enforce USB device authorization policies using usbguard to allow only known-good vendor and product identifiers
- Disable unused USB controllers in BIOS or UEFI on dedicated server hardware
# Configuration example
echo 'blacklist pegasus' | sudo tee /etc/modprobe.d/blacklist-pegasus.conf
sudo update-initramfs -u
sudo modprobe -r pegasus
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
