CVE-2026-23448
Out-of-Bounds Read in Linux cdc_ncm USB Network Driver
Publication date: 2026-04-03
Last updated on: 2026-04-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's USB CDC NCM (Network Control Model) driver, specifically in the function cdc_ncm_rx_verify_ndp16(). The function is responsible for validating that the Network Datagram Pointer (NDP) header and its Data Pointer Entries (DPE) fit within the socket buffer (skb).
The issue arises because the validation incorrectly checks the size of the DPE array against the total skb length as if the NDP were always at offset 0, ignoring the actual offset (ndpoffset). This means that when the NDP is located near the end of the Network Transfer Block (NTB), the DPE entries can extend beyond the skb data buffer even though the check passes.
As a result, the function cdc_ncm_rx_fixup() may read out-of-bounds memory when iterating over the DPE array, potentially leading to memory safety issues.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory reads in the Linux kernel's USB CDC NCM driver. Such memory safety issues can cause system instability, crashes, or potentially allow an attacker to read sensitive kernel memory.
Depending on the context and exploitability, this could be leveraged for information disclosure or to aid in privilege escalation attacks, compromising the security and reliability of affected systems.