Skip to main content

Linux Kernel CVE-2026-45923

| EUVDEUVD-2026-32389 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-f555-jxrw-hv6g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Physical or local USB access required (AV:L), low-privilege attacker controls the USB port (PR:L), no confidentiality or integrity impact, high availability impact from kernel crash.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.9 MEDIUM
AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:31 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: usb: catc: enable basic endpoint checking

catc_probe() fills three URBs with hardcoded endpoint pipes without verifying the endpoint descriptors:

  • usb_sndbulkpipe(usbdev, 1) and usb_rcvbulkpipe(usbdev, 1) for TX/RX
  • usb_rcvintpipe(usbdev, 2) for interrupt status

A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes.

Add a catc_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls after usb_set_interface() to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time.

Similar to

  • commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")

which fixed the issue in rtl8150.

AnalysisAI

Missing endpoint descriptor validation in the Linux kernel catc USB Ethernet driver allows a physically-present attacker with a crafted USB device to cause a kernel denial of service. The catc_probe() function submits URBs against hardcoded endpoint pipes (bulk on endpoint 1, interrupt on endpoint 2) without confirming that the connected device actually presents those endpoint types - a malformed device can exploit this assumption to trigger undefined behavior at the URB submission layer. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score is extremely low at 0.02% (7th percentile), reflecting limited real-world exploitation likelihood.

Technical ContextAI

The vulnerable code resides in drivers/net/usb/catc.c, the Linux kernel driver for CATC USB-to-Ethernet adapters. During probe, catc_probe() calls usb_sndbulkpipe(usbdev, 1), usb_rcvbulkpipe(usbdev, 1), and usb_rcvintpipe(usbdev, 2) using magic-number endpoint constants without first invoking usb_check_bulk_endpoints() or usb_check_int_endpoints() to verify that the USB device's descriptors actually declare those endpoints with the expected transfer types. A USB device under attacker control can present endpoint 1 as isochronous or control, or endpoint 2 as bulk, causing the kernel URB machinery to operate on a mismatched transfer type. The fix introduces a catc_usb_ep enum replacing magic constants and adds validation calls immediately after usb_set_interface(), mirroring the approach taken for the rtl8150 driver in commit 90b7f2961798. CWE is not formally assigned, but the root cause class is improper input validation (CWE-20) or type confusion at the USB descriptor layer. Affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* spanning from the driver's introduction around kernel 2.6.12.

RemediationAI

Upgrade the Linux kernel to a patched stable release: 5.10.252 or later in the 5.10.x LTS branch, 6.1.165+ in the 6.1.x LTS branch, 6.6.128+ in the 6.6.x LTS branch, 6.12.75+ in the 6.12.x branch, 6.18.14+ in the 6.18.x branch, 6.19.4+ in the 6.19.x branch, or any 7.0+ release. Fix commits are available at https://git.kernel.org/stable/c/36c28b028efba0f42218d41fed12c47ce217c1f1 and related commits listed in the references. Where immediate kernel upgrade is not feasible, blacklisting the catc kernel module prevents the vulnerable probe path from executing entirely: add 'blacklist catc' to /etc/modprobe.d/blacklist.conf and run depmod -a, with the trade-off of disabling all CATC USB Ethernet adapter functionality on the system. Alternatively, deploying USB authorization policies via /sys/bus/usb/devices/.../authorized or usbguard rules to block untrusted USB devices from being probed provides a compensating control without losing module functionality, at the cost of added USB device management overhead.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy