CVE-2026-23312 Linux CVE debrief

Who should care

System administrators managing Linux workstations and servers with USB ports accessible to untrusted users; security teams responsible for physical security controls; organizations using embedded Linux systems with exposed USB interfaces.

Technical summary

The kaweth driver in the Linux kernel's networking USB subsystem does not validate that a probed USB device has the expected number and types of endpoints before binding to it. When a malicious device lacking the expected URBs (USB Request Blocks) is attached, the driver later dereferences null pointers when attempting to access these endpoints, resulting in a kernel crash. The vulnerability is local, requires low privileges, and has high availability impact per CVSS 3.1 scoring.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from your Linux distribution that include fixes for CVE-2026-23312. Patches are available for stable branches 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.77+, 6.18.17+, and 6.19.7+.
• Restrict physical access to systems to prevent attachment of untrusted USB devices.
• Consider disabling the kaweth driver via kernel module blacklist if the Kawasaki LSI KL5KUSB101-based USB Ethernet adapter is not required: add 'blacklist kaweth' to /etc/modprobe.d/blacklist.conf or equivalent.
• Monitor for unexpected kernel crashes or USB device enumeration failures that may indicate exploitation attempts.
• Review system logs for suspicious USB device attachments, particularly unknown vendor/device IDs claiming to be kaweth-compatible hardware.

Evidence notes

CVE published 2026-03-25; modified 2026-05-26. NVD analyzed status. Multiple stable kernel patches released. CVSS 3.1 score 5.5 (MEDIUM) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicating local attack vector with low attack complexity and high availability impact.

Official resources