net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
Summary
| CVE | CVE-2026-23447 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-03 16:16:30 UTC |
| Updated | 2026-04-03 16:16:30 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only. |
Risk And Classification
EPSS: 0.000180000 probability, percentile 0.046090000 (date 2026-04-04)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 0fa81b304a7973a499f844176ca031109487dd31 125f932a76a97904ef8a555f1dd53e5d0e288c54 git | Not specified |
| CNA | Linux | Linux | affected 0fa81b304a7973a499f844176ca031109487dd31 af0d1613d6751489dbf9f69aac1123f0b1e566e5 git | Not specified |
| CNA | Linux | Linux | affected 0fa81b304a7973a499f844176ca031109487dd31 a5bd5a2710310c965ea4153cba4210988a3454e2 git | Not specified |
| CNA | Linux | Linux | affected 0fa81b304a7973a499f844176ca031109487dd31 de70da1fb1d152e981ecb3157f7ec2b633005c16 git | Not specified |
| CNA | Linux | Linux | affected 0fa81b304a7973a499f844176ca031109487dd31 77914255155e68a20aa41175edeecf8121dac391 git | Not specified |
| CNA | Linux | Linux | affected 8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7 git | Not specified |
| CNA | Linux | Linux | affected 4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6 git | Not specified |
| CNA | Linux | Linux | affected a270ca35a9499b58366d696d3290eaa4697a42db git | Not specified |
| CNA | Linux | Linux | affected 5.7 | Not specified |
| CNA | Linux | Linux | unaffected 5.7 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.130 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.78 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.20 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.10 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0-rc5 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/125f932a76a97904ef8a555f1dd53e5d0e288c54 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/de70da1fb1d152e981ecb3157f7ec2b633005c16 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/a5bd5a2710310c965ea4153cba4210988a3454e2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/af0d1613d6751489dbf9f69aac1123f0b1e566e5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/77914255155e68a20aa41175edeecf8121dac391 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.