PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45923 Linux CVE debrief

CVE-2026-45923 documents a vulnerability in the Linux kernel's CATC USB Ethernet driver (net/usb/catc.c). The driver failed to validate USB endpoint descriptors before use, assuming hardcoded endpoint numbers (1 for bulk TX/RX, 2 for interrupt status) without verifying their transfer types. A malicious USB device could present endpoints with mismatched transfer types, potentially causing undefined behavior or driver malfunction. The fix introduces explicit endpoint checking using usb_check_bulk_endpoints() and usb_check_int_endpoints() after usb_set_interface(), rejecting devices with non-conforming descriptors at probe time. This follows the same pattern as CVE-2024-XXXX (rtl8150) fixed in commit 90b7f2961798. Multiple stable kernel branches received backports.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running kernels with CATC USB Ethernet support; security teams tracking USB attack surface in Linux environments; kernel maintainers reviewing USB driver endpoint validation patterns

Technical summary

The CATC USB Ethernet driver (drivers/net/usb/catc.c) used hardcoded endpoint numbers without verifying descriptor transfer types. The vulnerability allowed malicious USB devices to present unexpected endpoint configurations. The resolution adds usb_check_bulk_endpoints() and usb_check_int_endpoints() validation after interface setup, with an enum replacing magic constants for maintainability.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available for your distribution
  • For systems using CATC-based USB Ethernet adapters, prioritize patching if untrusted USB device attachment is possible
  • Verify endpoint validation patterns in custom USB drivers against this fix pattern
  • Monitor distribution security advisories for kernel package updates addressing CVE-2026-45923

Evidence notes

The CVE description and kernel.org commits confirm the vulnerability class: missing USB endpoint descriptor validation in a network driver. The fix pattern mirrors prior art in rtl8150 (commit 90b7f2961798 referenced in description). Seven stable branch commits provided indicate widespread backporting. No CVSS score or CPE data available at time of disclosure.

Official resources

2026-05-27