CVE-2026-23447 PUBLISHED

net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check

Assigner: Linux
Reserved: 13.01.2026 Published: 03.04.2026 Updated: 03.04.2026

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check

The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB.

Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly.

Compile-tested only.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 0fa81b304a7973a499f844176ca031109487dd31 to 125f932a76a97904ef8a555f1dd53e5d0e288c54 (excl.)
  • affected from 0fa81b304a7973a499f844176ca031109487dd31 to af0d1613d6751489dbf9f69aac1123f0b1e566e5 (excl.)
  • affected from 0fa81b304a7973a499f844176ca031109487dd31 to a5bd5a2710310c965ea4153cba4210988a3454e2 (excl.)
  • affected from 0fa81b304a7973a499f844176ca031109487dd31 to de70da1fb1d152e981ecb3157f7ec2b633005c16 (excl.)
  • affected from 0fa81b304a7973a499f844176ca031109487dd31 to 77914255155e68a20aa41175edeecf8121dac391 (excl.)
  • Version 8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7 is affected
  • Version 4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6 is affected
  • Version a270ca35a9499b58366d696d3290eaa4697a42db is affected
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.7 is affected
  • unaffected from 0 to 5.7 (excl.)
  • unaffected from 6.6.130 to 6.6.* (incl.)
  • unaffected from 6.12.78 to 6.12.* (incl.)
  • unaffected from 6.18.20 to 6.18.* (incl.)
  • unaffected from 6.19.10 to 6.19.* (incl.)
  • unaffected from 7.0-rc5 to * (incl.)

References