{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23447", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.019Z", "datePublished": "2026-04-03T15:15:30.495Z", "dateUpdated": "2026-05-11T22:07:05.447Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:05.447Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check\n\nThe same bounds-check bug fixed for NDP16 in the previous patch also\nexists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated\nagainst the total skb length without accounting for ndpoffset, allowing\nout-of-bounds reads when the NDP32 is placed near the end of the NTB.\n\nAdd ndpoffset to the nframes bounds check and use struct_size_t() to\nexpress the NDP-plus-DPE-array size more clearly.\n\nCompile-tested only."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/cdc_ncm.c"], "versions": [{"version": "0fa81b304a7973a499f844176ca031109487dd31", "lessThan": "125f932a76a97904ef8a555f1dd53e5d0e288c54", "status": "affected", "versionType": "git"}, {"version": "0fa81b304a7973a499f844176ca031109487dd31", "lessThan": "af0d1613d6751489dbf9f69aac1123f0b1e566e5", "status": "affected", "versionType": "git"}, {"version": "0fa81b304a7973a499f844176ca031109487dd31", "lessThan": "a5bd5a2710310c965ea4153cba4210988a3454e2", "status": "affected", "versionType": "git"}, {"version": "0fa81b304a7973a499f844176ca031109487dd31", "lessThan": "de70da1fb1d152e981ecb3157f7ec2b633005c16", "status": "affected", "versionType": "git"}, {"version": "0fa81b304a7973a499f844176ca031109487dd31", "lessThan": "77914255155e68a20aa41175edeecf8121dac391", "status": "affected", "versionType": "git"}, {"version": "8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7", "status": "affected", "versionType": "git"}, {"version": "4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6", "status": "affected", "versionType": "git"}, {"version": "a270ca35a9499b58366d696d3290eaa4697a42db", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/cdc_ncm.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.317"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.285"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.245"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/125f932a76a97904ef8a555f1dd53e5d0e288c54"}, {"url": "https://git.kernel.org/stable/c/af0d1613d6751489dbf9f69aac1123f0b1e566e5"}, {"url": "https://git.kernel.org/stable/c/a5bd5a2710310c965ea4153cba4210988a3454e2"}, {"url": "https://git.kernel.org/stable/c/de70da1fb1d152e981ecb3157f7ec2b633005c16"}, {"url": "https://git.kernel.org/stable/c/77914255155e68a20aa41175edeecf8121dac391"}], "title": "net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6109B59-9FDE-4746-B291-E7423EDF2A70", "versionEndExcluding": "4.15", "versionStartIncluding": "4.14.317", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE641959-B555-4CFF-822C-9888BDADDE4B", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.285", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB2B154A-4B88-47C0-A49E-DBBF55809DED", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.245", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8B82BD0-E332-47C9-8A05-912A7C75676B", "versionEndExcluding": "6.6.130", "versionStartIncluding": "5.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.7:-:*:*:*:*:*:*", "matchCriteriaId": "3D23CE42-BDB2-4216-8495-230ABE98FCDD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check\n\nThe same bounds-check bug fixed for NDP16 in the previous patch also\nexists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated\nagainst the total skb length without accounting for ndpoffset, allowing\nout-of-bounds reads when the NDP32 is placed near the end of the NTB.\n\nAdd ndpoffset to the nframes bounds check and use struct_size_t() to\nexpress the NDP-plus-DPE-array size more clearly.\n\nCompile-tested only."}], "id": "CVE-2026-23447", "lastModified": "2026-04-23T20:56:17.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T16:16:30.663", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/125f932a76a97904ef8a555f1dd53e5d0e288c54"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/77914255155e68a20aa41175edeecf8121dac391"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a5bd5a2710310c965ea4153cba4210988a3454e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/af0d1613d6751489dbf9f69aac1123f0b1e566e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/de70da1fb1d152e981ecb3157f7ec2b633005c16"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check", "id": "2454838", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454838"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in the USB CDC NCM (Network Control Model) driver in the Linux kernel. This vulnerability, a bounds-check bug, occurs when processing NCM Datagram Pointer (NDP32) frames. It fails to correctly account for the `ndpoffset`, which can lead to out-of-bounds reads. This could result in information disclosure or system instability."], "name": "CVE-2026-23447", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23447\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23447\nhttps://lore.kernel.org/linux-cve-announce/2026040315-CVE-2026-23447-dd25@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0fa81b304a7973a499f844176ca031109487dd31,125f932a76a97904ef8a555f1dd53e5d0e288c54)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0fa81b304a7973a499f844176ca031109487dd31,af0d1613d6751489dbf9f69aac1123f0b1e566e5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0fa81b304a7973a499f844176ca031109487dd31,a5bd5a2710310c965ea4153cba4210988a3454e2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0fa81b304a7973a499f844176ca031109487dd31,de70da1fb1d152e981ecb3157f7ec2b633005c16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0fa81b304a7973a499f844176ca031109487dd31,77914255155e68a20aa41175edeecf8121dac391)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "a270ca35a9499b58366d696d3290eaa4697a42db"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:39:54.577963+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the ndpoffset fix.", "If a kernel upgrade is not immediately possible, apply the specific patch that adds the missing offset to the bounds check.", "As a temporary precaution, blacklist or unload the cdc_ncm module to prevent execution of the vulnerable code.", "Monitor kernel logs or dmesg for out\u2011of\u2011bounds read errors or crashes related to USB CDC NCM traffic."], "summary": {"action": "Patch immediately", "impact": "Out\u2011of\u2011bounds read in USB CDC NCM driver"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that contain the CDC NCM driver code prior to the commit adding the ndpoffset check are affected. The issue is confined to the upstream Linux kernel and does not target particular distributions or hardware modifications.", "description_and_impact": "A bounds\u2011check in the Linux CDC NCM USB driver fails to include a required offset, allowing reads beyond the intended memory region. The flaw is a bounds\u2011check error (CWE\u2011131) and relates to integer overflow checks (CWE\u2011129). This can leak kernel memory or cause a kernel crash, representing a size\u2011calculation and integer error.", "risk_and_exploitability": "The flaw has a CVSS base score of 7.8, indicating a high severity. The EPSS score indicates a low exploitation probability ( < 1%). The vulnerability is not listed in the CISA KEV catalog. The likely attack path is an attacker providing a malicious USB CDC NCM device; based on the description, it is inferred that crafted NDP32 packets can trigger the out\u2011of\u2011bounds read, potentially leading to information disclosure or a kernel panic. No publicly available exploit is documented, but kernel memory leakage could be used in a privileged context."}}}}, "created": "2026-04-03T21:13:50.812309+00:00", "updated": "2026-04-28T16:45:06.184195+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}