Linux Kernel Pegasus Driver USB Endpoint Validation Vulnerability

A vulnerability exists in the Linux kernel's pegasus USB driver, which fails to properly validate the number and types of USB endpoints of devices it probes. This issue can lead to a driver crash when it blindly accesses these endpoints, particularly if a malicious device does not present the expected endpoints.

Impact

The vulnerability can cause a denial of service by crashing the driver when it accesses non-existent or incorrect USB endpoints.

Reproduction

The vulnerability can be reproduced by connecting a malicious USB device that does not provide the expected endpoints to the system. The pegasus driver will probe the device and, upon finding an unexpected endpoint configuration, will later crash when it attempts to access the missing or incorrect endpoints.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.