CVE-2026-23448

EUVD-2026-18696
In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check

cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE
entries fit within the skb. The first check correctly accounts for
ndpoffset:

  if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)

but the second check omits it:

  if ((sizeof(struct usb_cdc_ncm_ndp16) +
       ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)

This validates the DPE array size against the total skb length as if
the NDP were at offset 0, rather than at ndpoffset. When the NDP is
placed near the end of the NTB (large wNdpIndex), the DPE entries can
extend past the skb data buffer even though the check passes.
cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating
the DPE array.

Add ndpoffset to the nframes bounds check and use struct_size_t() to
express the NDP-plus-DPE-array size more clearly.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
3.8 ≤
𝑥
< 6.6.130
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.78
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.20
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.10
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
7.0.13-1
fixed
sid
7.0.13-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.94-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
kernel-64kb
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-azure
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-default
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-default-base
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-source
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed