Description
In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check

The same bounds-check bug fixed for NDP16 in the previous patch also
exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated
against the total skb length without accounting for ndpoffset, allowing
out-of-bounds reads when the NDP32 is placed near the end of the NTB.

Add ndpoffset to the nframes bounds check and use struct_size_t() to
express the NDP-plus-DPE-array size more clearly.

Compile-tested only.
Published: 2026-04-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds read in USB CDC NCM driver
Action: Patch immediately
AI Analysis

Impact

A bounds‑check in the Linux CDC NCM USB driver fails to include a required offset, allowing reads beyond the intended memory region. The flaw is a bounds‑check error (CWE‑131) and relates to integer overflow checks (CWE‑129). This can leak kernel memory or cause a kernel crash, representing a size‑calculation and integer error.

Affected Systems

All Linux kernel versions that contain the CDC NCM driver code prior to the commit adding the ndpoffset check are affected. The issue is confined to the upstream Linux kernel and does not target particular distributions or hardware modifications.

Risk and Exploitability

The flaw has a CVSS base score of 7.8, indicating a high severity. The EPSS score indicates a low exploitation probability ( < 1%). The vulnerability is not listed in the CISA KEV catalog. The likely attack path is an attacker providing a malicious USB CDC NCM device; based on the description, it is inferred that crafted NDP32 packets can trigger the out‑of‑bounds read, potentially leading to information disclosure or a kernel panic. No publicly available exploit is documented, but kernel memory leakage could be used in a privileged context.

Generated by OpenCVE AI on April 28, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the ndpoffset fix.
  • If a kernel upgrade is not immediately possible, apply the specific patch that adds the missing offset to the bounds check.
  • As a temporary precaution, blacklist or unload the cdc_ncm module to prevent execution of the vulnerable code.
  • Monitor kernel logs or dmesg for out‑of‑bounds read errors or crashes related to USB CDC NCM traffic.

Generated by OpenCVE AI on April 28, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129
CPEs cpe:2.3:o:linux:linux_kernel:5.7:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only.
Title net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:07:05.447Z

Reserved: 2026-01-13T15:37:46.019Z

Link: CVE-2026-23447

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:30.663

Modified: 2026-04-23T20:56:17.963

Link: CVE-2026-23447

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23447 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses