CVE-2026-23365

NameCVE-2026-23365
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net: usb: kalmia: validate USB endpoints The kalmia driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4561-1, DLA-4606-1, DSA-6238-1, DSA-6243-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)bullseye5.10.223-1vulnerable
bullseye (security)5.10.257-1fixed
bookworm6.1.170-3fixed
bookworm (security)6.1.174-1fixed
trixie6.12.86-1fixed
trixie (security)6.12.90-2fixed
forky7.0.10-1fixed
sid7.0.12-2fixed
linux-6.1 (PTS)bullseye (security)6.1.174-1~deb11u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcebullseye5.10.257-1DLA-4606-1
linuxsourcebookworm6.1.170-1DSA-6243-1
linuxsourcetrixie6.12.85-1DSA-6238-1
linuxsource(unstable)6.19.8-1
linux-6.1sourcebullseye6.1.170-1~deb11u1DLA-4561-1

Notes

https://git.kernel.org/linus/c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 (7.0-rc2)
Search for package or bug name: Reporting problems