CVE-2026-23447Incorrect Calculation of Buffer Size in Linux

CWE-131Incorrect Calculation of Buffer Size6 documents6 sources
Severity
6.6MEDIUM
No vector
EPSS
0.0%
top 93.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedApr 3

Description

In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-p

Affected Packages3 packages

Debianlinux/linux_kernel< 6.19.10-1
CVEListV5linux/linux0fa81b304a7973a499f844176ca031109487dd31125f932a76a97904ef8a555f1dd53e5d0e288c54+8
debiandebian/linux< linux 6.19.10-1 (forky)

🔴Vulnerability Details

2
GHSA
GHSA-vf6v-fqr8-5xhj: In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-c2026-04-03
OSV
CVE-2026-23447: In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-che2026-04-03

📋Vendor Advisories

2
Red Hat
kernel: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check2026-04-03
Debian
CVE-2026-23447: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: c...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23447 Impact, Exploitability, and Mitigation Steps | Wiz