CVE-2026-23448
Description
In the Linux kernel, the following vulnerability has been resolved:
net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset:
if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)
but the second check omits it:
if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)
This validates the DPE array size against the total skb length as if the NDP were at offset 0, rather than at ndpoffset. When the NDP is placed near the end of the NTB (large wNdpIndex), the DPE entries can extend past the skb data buffer even though the check passes. cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating the DPE array.
Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing ndpoffset in NDP DPE bounds check in cdc_ncm driver leads to out-of-bounds read, exploitable via malicious USB device.
Vulnerability
In the Linux kernel's cdc_ncm driver, the function cdc_ncm_rx_verify_ndp16() validates the NDP16 header and its DPE entries fit within the socket buffer. The first check correctly includes ndpoffset, but the second check, which validates the DPE array size, omits ndpoffset. This causes the function to treat the NDP as if it were at offset 0, allowing a large wNdpIndex to place the NDP near the end of the NTB, so DPE entries can extend past the skb data buffer even though the check passes [1][2].
Exploitation
An attacker with physical access to a USB port can plug a malicious USB device that presents crafted CDC NCM descriptors. When the kernel receives an NTB with a large wNdpIndex, the insufficient bounds check may allow out-of-bounds memory reads. No special privileges are required beyond the ability to attach the device, and the attack occurs during normal network packet processing [3][4].
Impact
Reading out-of-bounds kernel memory can leak sensitive data or cause a system crash (denial of service). In some scenarios, this may also be leveraged for privilege escalation or arbitrary code execution, depending on the memory layout.
Mitigation
The fix adds ndpoffset to the DPE array size check and uses struct_size_t() for clarity. The patch has been applied to stable kernel trees as of the referenced commits. Users should update to a kernel containing the fix.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21anvdPatch
- git.kernel.org/stable/c/403f94ddcb36c552fbef51dea735b131e3dcde8bnvdPatch
- git.kernel.org/stable/c/789204f980730258c983102c027c375238009c80nvdPatch
- git.kernel.org/stable/c/dce9dda0e3707e887977db44407989e9ead26611nvdPatch
- git.kernel.org/stable/c/f1c7701d3ac91b62d672c13690cf295821f0d5c3nvdPatch
News mentions
0No linked articles in our index yet.