What is CVE-2026-45923?

CVE-2026-45923 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 2.6.12 onward and patched in 5.10.252, 6.1.165, 6.6.128 and others. CVE-2026-45923 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-45923?

CVE-2026-45923 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-45923?

Yes, CVE-2026-45923 has been patched. Fixed versions include 5.10.252, 6.1.165, 6.6.128 and others. If you are running Linux kernel 2.6.12 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-45923 actively exploited?

CVE-2026-45923 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-45923

In the Linux kernel, the following vulnerability has been resolved: net: usb: catc: enable basic endpoint checking catc_probe() fills three URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_sndbulkpipe(usbdev, 1) and usb_rcvbulkpipe(usbdev, 1) for TX/RX - usb_rcvintpipe(usbdev, 2) for interrupt status A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a catc_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls after usb_set_interface() to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time. Similar to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") which fixed the issue in rtl8150.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-05-27

Patch available

Yes

Affected versions

Linux kernel versions 2.6.12 and later are affected. Fixed in 5.10.252, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0 and their respective stable series.

Affected from

≥ 2.6.12

Fixed in

✓ 5.10.252 5.10.x ✓ 6.1.165 6.1.x ✓ 6.6.128 6.6.x ✓ 6.12.75 6.12.x ✓ 6.18.14 6.18.x ✓ 6.19.4 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-45923 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/163d04897e57633c5d2e69734e4e4b22bb63f50d
Patch
Kernel patch commit
https://git.kernel.org/stable/c/1a42cfced8900d33d032c7ec338484855b61b8cc
Patch
Kernel patch commit
https://git.kernel.org/stable/c/36c28b028efba0f42218d41fed12c47ce217c1f1
Patch

7 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-45923?

CVE-2026-45923 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 2.6.12 onward and has been patched in 5.10.252, 6.1.165, 6.6.128 and others. CVE-2026-45923 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-45923?

Yes — CVE-2026-45923 has been patched. Fixed versions include 5.10.252, 6.1.165, 6.6.128 and others. If you are running Linux kernel 2.6.12 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-45923 actively exploited?

No — CVE-2026-45923 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.