CVE-2026-23447 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check

The same bounds-check bug fixed for NDP16 in the previous patch also
exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated
against the total skb length without accounting for ndpoffset, allowing
out-of-bounds reads when the NDP32 is placed near the end of the NTB.

Add ndpoffset to the nframes bounds check and use struct_size_t() to
express the NDP-plus-DPE-array size more clearly.

Compile-tested only.

Published: 2026-04-03

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel's USB CDC Network Control Model (cdc_ncm) driver. A bounds‑check bug in the function cdc_ncm_rx_verify_ndp32() allows the driver to read beyond the end of a DPE array when an NDP32 frame is positioned near the boundary of the NTB. This out‑of‑bounds read can expose kernel memory contents to a crafted USB device and may lead to information disclosure or kernel panic.

Affected Systems

The affected product is the Linux kernel. Versions that incorporate the buggy driver implementation are unspecified, but any Linux distribution compiling the kernel from sources that include the pre‑patch code lacks protection. Users of standard kernel releases released before the fix are potentially impacted.

Risk and Exploitability

No CVSS score or EPSS data is provided, so the quantified severity and likelihood remain unknown. Based on the description, a local attacker with physical access could supply a malicious USB device that sends an NDP32 packet near the NTB boundary to trigger the out‑of‑bounds read. The exploit requires the vulnerable driver to be loaded and the device to be connected, making it a local USB‑based attack vector. The risk is mitigated once the kernel is updated to a patched version that includes bounds‑checking for ndpoffset.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0fa81b304a7973a499f844176ca031109487dd31`	affected	< 125f932a76a97904ef8a555f1dd53e5d0e288c54
`0fa81b304a7973a499f844176ca031109487dd31`	affected	< af0d1613d6751489dbf9f69aac1123f0b1e566e5
`0fa81b304a7973a499f844176ca031109487dd31`	affected	< a5bd5a2710310c965ea4153cba4210988a3454e2
`0fa81b304a7973a499f844176ca031109487dd31`	affected	< de70da1fb1d152e981ecb3157f7ec2b633005c16
`0fa81b304a7973a499f844176ca031109487dd31`	affected	< 77914255155e68a20aa41175edeecf8121dac391
`8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7`	affected	—
`4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6`	affected	—
`a270ca35a9499b58366d696d3290eaa4697a42db`	affected	—

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0fa81b304a7973a499f844176ca031109487dd31,125f932a76a97904ef8a555f1dd53e5d0e288c54)`	affected	code_commit	—
`[0fa81b304a7973a499f844176ca031109487dd31,af0d1613d6751489dbf9f69aac1123f0b1e566e5)`	affected	code_commit	—
`[0fa81b304a7973a499f844176ca031109487dd31,a5bd5a2710310c965ea4153cba4210988a3454e2)`	affected	code_commit	—
`[0fa81b304a7973a499f844176ca031109487dd31,de70da1fb1d152e981ecb3157f7ec2b633005c16)`	affected	code_commit	—
`[0fa81b304a7973a499f844176ca031109487dd31,77914255155e68a20aa41175edeecf8121dac391)`	affected	code_commit	—
`8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7`	affected	code_commit	—
`4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6`	affected	code_commit	—
`a270ca35a9499b58366d696d3290eaa4697a42db`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.7`	affected	generic	—
`[0,5.7)`	unaffected	generic	—
`[6.6.130,7.0.0)`	unaffected	semver	—
`[6.12.78,7.0.0)`	unaffected	semver	—
`[6.18.20,7.0.0)`	unaffected	semver	—
`[6.19.10,7.0.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated Linux kernel that includes the commit fixing the bounds‑check bug (e.g., 125f932a76a97904ef8a555f1dd53e5d0e288c54).
If a kernel update is not immediately available, disable or unload the cdc_ncm module or block the USB device from connecting to the host.
Verify that the kernel version in use is not among those vulnerable by consulting the vendor’s changelog or security advisories.

Generated by OpenCVE AI on April 3, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/125f932a76a97904ef8a555f1dd53e5d0e288c54
https://git.kernel.org/stable/c/77914255155e68a20aa41175edeecf8121dac391
https://git.kernel.org/stable/c/a5bd5a2710310c965ea4153cba4210988a3454e2
https://git.kernel.org/stable/c/af0d1613d6751489dbf9f69aac1123f0b1e566e5
https://git.kernel.org/stable/c/de70da1fb1d152e981ecb3157f7ec2b633005c16
https://lore.kernel.org/linux-cve-announce/2026040315-CVE-2026-23447-dd25@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23447
https://www.cve.org/CVERecord?id=CVE-2026-23447

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026040315-CVE-2026-23447-dd25@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23447 https://www.cve.org/CVERecord?id=CVE-2026-23447
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only.
Title		net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/125f932a76a97904ef8a555f1dd53e5d0e288c54 https://git.kernel.org/stable/c/77914255155e68a20aa41175edeecf8121dac391 https://git.kernel.org/stable/c/a5bd5a2710310c965ea4153cba4210988a3454e2 https://git.kernel.org/stable/c/af0d1613d6751489dbf9f69aac1123f0b1e566e5 https://git.kernel.org/stable/c/de70da1fb1d152e981ecb3157f7ec2b633005c16

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:30.495Z

Updated: 2026-04-03T15:15:30.495Z

Reserved: 2026-01-13T15:37:46.019Z

Link: CVE-2026-23447

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:30.663

Modified: 2026-04-03T16:16:30.663

Link: CVE-2026-23447

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23447 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:16:05Z

Weaknesses

CWE-131

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object