Skip to main content

Linux CVE-2026-23447

| EUVDEUVD-2026-18694 HIGH
Improper Validation of Array Index (CWE-129)
2026-04-03 Linux GHSA-vf6v-fqr8-5xhj
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 23, 2026 - 21:11 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 21:11 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
125f932a76a97904ef8a555f1dd53e5d0e288c54,77914255155e68a20aa41175edeecf8121dac391
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18694
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check

The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB.

Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly.

Compile-tested only.

AnalysisAI

Buffer overflow in Linux kernel cdc_ncm driver allows out-of-bounds memory reads when processing malformed USB CDC NCM (Network Control Model) packets with NDP32 (Normal Data Packet) headers positioned near the end of the network transfer buffer. The vulnerability exists in cdc_ncm_rx_verify_ndp32() where bounds checking fails to account for the ndpoffset value when validating the DPE (Data Packet Element) array size, potentially enabling local denial-of-service or information disclosure on systems with affected USB CDC NCM network devices. No active exploitation or public proof-of-concept identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's USB CDC NCM (cdc_ncm) driver, which implements the CDC Network Control Model specification for USB network devices. The cdc_ncm_rx_verify_ndp32() function validates incoming NTB (Network Transfer Block) packets containing NDP32 headers and associated DPE arrays. The root cause is a classic bounds-check bypass (CWE-119/Buffer Overflow): the function validates the total DPE array size against the skb (socket buffer) length but neglects to add the ndpoffset value to this calculation. When an attacker-controlled or malformed USB device crafts an NTP with the NDP32 positioned near the end of the buffer, the ndpoffset-adjusted address can exceed the buffer bounds, triggering out-of-bounds memory access. The fix applies struct_size_t() to more rigorously compute the combined size of the NDP structure plus the DPE array, mirroring a prior fix applied to the NDP16 variant (cdc_ncm_rx_verify_ndp16()).

RemediationAI

Apply the upstream kernel patches by updating to a kernel version incorporating commit 125f932a76a97904ef8a555f1dd53e5d0e288c54 or the stable-tree equivalents (af0d1613d6751489dbf9f69aac1123f0b1e566e5, a5bd5a2710310c965ea4153cba4210988a3454e2, de70da1fb1d152e981ecb3157f7ec2b633005c16, 77914255155e68a20aa41175edeecf8121dac391) referenced in the stable kernel repositories at https://git.kernel.org/stable/. Monitor your distribution's security advisories for kernel updates that include this patch and apply them via standard kernel upgrade procedures (e.g., apt update && apt upgrade on Debian/Ubuntu, yum update kernel on RHEL/Fedora). As an interim workaround on systems where USB CDC NCM support is not required, disable the cdc_ncm module by blacklisting it (modprobe -r cdc_ncm and adding cdc_ncm to /etc/modprobe.d/blacklist.conf), or recompile the kernel without CONFIG_USB_NET_CDC_NCM enabled. Systems where USB CDC NCM is necessary should prioritize patched kernel deployment.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23447 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy