CVE-2026-23447
HIGH EPSS 2.9%
Published Apr 3, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
Published Apr 3, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago
Description
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-129
Affected Products 15
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | ≥4.14.317 – <4.15 |
| linux | linux_kernel | * | ≥4.19.285 – <4.20 |
| linux | linux_kernel | * | ≥5.4.245 – <5.5 |
| linux | linux_kernel | * | ≥5.7.1 – <6.6.130 |
| linux | linux_kernel | * | ≥6.7 – <6.12.78 |
| linux | linux_kernel | * | ≥6.13 – <6.18.20 |
| linux | linux_kernel | * | ≥6.19 – <6.19.10 |
| linux | linux_kernel | 5.7 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
References 5
- git.kernel.org https://git.kernel.org/stable/c/125f932a76a97904ef8a555f1dd53e5d0e288c54
- git.kernel.org https://git.kernel.org/stable/c/77914255155e68a20aa41175edeecf8121dac391
- git.kernel.org https://git.kernel.org/stable/c/a5bd5a2710310c965ea4153cba4210988a3454e2
- git.kernel.org https://git.kernel.org/stable/c/af0d1613d6751489dbf9f69aac1123f0b1e566e5
- git.kernel.org https://git.kernel.org/stable/c/de70da1fb1d152e981ecb3157f7ec2b633005c16
Remediation
- git.kernel.org https://git.kernel.org/stable/c/125f932a76a97904ef8a555f1dd53e5d0e288c54
- git.kernel.org https://git.kernel.org/stable/c/77914255155e68a20aa41175edeecf8121dac391
- git.kernel.org https://git.kernel.org/stable/c/a5bd5a2710310c965ea4153cba4210988a3454e2
- git.kernel.org https://git.kernel.org/stable/c/af0d1613d6751489dbf9f69aac1123f0b1e566e5
- git.kernel.org https://git.kernel.org/stable/c/de70da1fb1d152e981ecb3157f7ec2b633005c16