HIGH Published 2026-04-03

cdc_ncm NDP32 OOB

CVE-2026-23447

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A malicious USB CDC NCM device can trigger out-of-bounds memory reads in the kernel by crafting NCM transfer blocks with improperly positioned NDP32 structures. This could lead to information disclosure or system crashes when processing network packets from the USB device.

Affecteddrivers/net/usb/cdc_ncm.c

Vulnerability analysis

Root Cause: The cdc_ncm_rx_verify_ndp32() function validates the size of the DPE (Data Packet Entry) array against the total skb length without accounting for the ndpoffset. This allows the NDP32 (Network Datagram Pointer 32-bit) structure to be placed near the end of the NTB (NCM Transfer Block), causing the bounds check to pass even when the actual DPE array extends beyond the buffer boundaries.

Attack Surface: This vulnerability affects USB CDC NCM (Network Control Model) devices. An attacker would need to control a malicious USB device or be able to inject malformed NCM packets through a compromised USB network device. The vulnerability requires physical access to connect a USB device or compromise of an existing USB NCM device.

Fix Mechanism: The patch adds ndpoffset to the bounds check calculation, ensuring that the validation accounts for the actual position of the NDP32 structure within the buffer. It also replaces the manual size calculation with struct_size_t() for clearer expression of the NDP-plus-DPE-array size and more robust overflow protection.

03Fix Versions

Branch	Fixed in	Patch commit
4.15	4.15	`125f932a76a9`
4.20	4.20	`af0d1613d675`
5.5	5.5	`a5bd5a271031`
6.12	6.12.78	`77914255155e`
6.18	6.18.20	—
6.19	6.19.10	—
6.6	6.6.130	`de70da1fb1d1`
mainline	7.0	—