In the Linux kernel, the following vulnerability has been resolved: net: usb: catc: enable basic endpoint checking catc_probe() fills three URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_sndbulkpipe(usbdev, 1) and usb_rcvbulkpipe(usbdev, 1) for TX/RX - usb_rcvintpipe(usbdev, 2) for interrupt status A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a catc_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls after usb_set_interface() to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time. Similar to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") which fixed the issue in rtl8150.

A flaw was found in the Linux kernel's `net: usb: catc` driver. A malformed Universal Serial Bus (USB) device can present endpoint descriptors with transfer types that differ from what the driver expects. This can lead to the driver attempting to use incorrect endpoint types, potentially causing unexpected behavior or resource exhaustion within the kernel. The vulnerability is resolved by adding checks to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time.

Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Out of support scope kernel Red Hat Enterprise Linux 7 Fix deferred kernel Red Hat Enterprise Linux 7 Fix deferred kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-45923 https://nvd.nist.gov/vuln/detail/CVE-2026-45923 https://lore.kernel.org/linux-cve-announce/2026052725-CVE-2026-45923-feed@gregkh/T