SB2026032583 - Uncontrolled Recursion in Linux kernel net usb driver
Published: March 25, 2026
Security Bulletin ID
SB2026032583
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Uncontrolled Recursion (CVE-ID: CVE-2026-23365)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kalmia USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/011684cd18349aa4c52167c8ac37a0524169f48c
- https://git.kernel.org/stable/c/12c0243de0aee0ab27cc00932fd5edae65c1e3a2
- https://git.kernel.org/stable/c/28a380bfa5bc7f6a9380b85e8eab919ee6ac1701
- https://git.kernel.org/stable/c/51c20ea5f1555a984c041b0dbf56f00d41b9e652
- https://git.kernel.org/stable/c/7bfda1a0be4caec3263753d567678451cef73a85
- https://git.kernel.org/stable/c/c58b6c29a4c9b8125e8ad3bca0637e00b71e2693