CVE-2026-23447
ADVISORY - nistSummary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB.
Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly.
Compile-tested only.
EPSS Score: 0.00129 (0.029)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Validation of Array Index
ADVISORY - redhat
Incorrect Calculation of Buffer Size
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in