Skip to main content

Linux Kernel EUVDEUVD-2026-18696

| CVE-2026-23448 HIGH
Improper Validation of Array Index (CWE-129)
2026-04-03 Linux GHSA-pjhh-88pp-3hg6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
May 21, 2026 - 00:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 21, 2026 - 00:52 vuln.today
cvss_changed
CVSS changed
May 21, 2026 - 00:52 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
789204f980730258c983102c027c375238009c80,2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a,403f94ddcb36c552fbef51dea735b131e3dcde8b
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18696
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check

cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset:

if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)

but the second check omits it:

if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)

This validates the DPE array size against the total skb length as if the NDP were at offset 0, rather than at ndpoffset. When the NDP is placed near the end of the NTB (large wNdpIndex), the DPE entries can extend past the skb data buffer even though the check passes. cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating the DPE array.

Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly.

AnalysisAI

Out-of-bounds read in the Linux kernel's cdc_ncm USB networking driver allows a local attacker with a malicious or compromised USB CDC NCM device to read kernel memory beyond the skb buffer. The flaw lives in cdc_ncm_rx_verify_ndp16(), where the NDP16 nframes bounds check omits the ndpoffset value, letting DPE array iteration in cdc_ncm_rx_fixup() walk past the legitimate buffer when wNdpIndex points near the end of the NTB. No public exploit identified at time of analysis and EPSS exploitation probability is 0.02% (5th percentile), but a patch is available from upstream Linux maintainers.

Technical ContextAI

The cdc_ncm driver implements the USB CDC NCM (Network Control Model) protocol used by USB network adapters and tethered mobile broadband devices. Incoming NCM Transfer Blocks (NTBs) are parsed into an NDP16 header followed by an array of DPE16 (Datagram Pointer Entry) records that describe individual frames. cdc_ncm_rx_verify_ndp16() is supposed to ensure both the NDP header and the DPE array reside fully within the received skb. The root cause is CWE-129 (Improper Validation of Array Index): the first length check correctly added ndpoffset, but the second check compared sizeof(NDP16)+nframes*sizeof(DPE16) against skb_in->len as if the NDP started at offset 0. When wNdpIndex is large, the DPE array effectively extends past the data buffer and cdc_ncm_rx_fixup() reads out-of-bounds kernel memory. Affected CPE is cpe:2.3:a:linux:linux across the affected stable branches, with the fix introducing ndpoffset into the check and using struct_size_t() for clarity.

RemediationAI

Vendor-released patch: upgrade to Linux stable 6.6.130, 6.12.78, 6.18.20, 6.19.10, or mainline 7.0-rc5, whichever matches your branch, by pulling the upstream fix commits at git.kernel.org/stable/c/789204f980730258c983102c027c375238009c80 and the related backports (403f94ddcb36c552fbef51dea735b131e3dcde8b, dce9dda0e3707e887977db44407989e9ead26611, 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a, f1c7701d3ac91b62d672c13690cf295821f0d5c3). For distribution kernels, install the vendor's updated kernel package as soon as the backport ships and reboot. If patching is delayed, blacklist the cdc_ncm module on hosts that do not use USB CDC NCM tethering or modems (echo 'blacklist cdc_ncm' into /etc/modprobe.d/), which prevents the vulnerable parsing path entirely at the cost of breaking USB tethering and certain LTE/5G dongles; alternatively restrict USB device attachment via USBGuard policies or kernel.unprivileged_userns_clone hardening on multi-user systems, accepting the operational overhead of an allow-list. Consult https://nvd.nist.gov/vuln/detail/CVE-2026-23448 and https://vuldb.com/vuln/355133 for additional advisory context.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18696 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy