Uncontrolled Recursion in Linux kernel - CVE-2026-23365
Published: March 25, 2026
Vulnerability identifier: #VU124481
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23365
CWE-ID: CWE-674
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kalmia USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
How to mitigate CVE-2026-23365
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/011684cd18349aa4c52167c8ac37a0524169f48c
- https://git.kernel.org/stable/c/12c0243de0aee0ab27cc00932fd5edae65c1e3a2
- https://git.kernel.org/stable/c/28a380bfa5bc7f6a9380b85e8eab919ee6ac1701
- https://git.kernel.org/stable/c/51c20ea5f1555a984c041b0dbf56f00d41b9e652
- https://git.kernel.org/stable/c/7bfda1a0be4caec3263753d567678451cef73a85
- https://git.kernel.org/stable/c/c58b6c29a4c9b8125e8ad3bca0637e00b71e2693