CVE-2026-23447
Published: 03 April 2026
Summary
CVE-2026-23447 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-41 (Port and I/O Device Access).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and correction of flaws like the bounds-checking error in the cdc_ncm_rx_verify_ndp32() function via kernel patching.
Requires validation of information inputs such as USB CDC NCM packet structures, including ndpoffset and nframes, to prevent out-of-bounds reads.
Restricts access to USB I/O ports and devices, mitigating local exploitation via crafted CDC NCM traffic on unauthorized USB hardware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv bounds-check flaw in kernel USB driver directly enables local exploitation for privilege escalation to kernel-level impact.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is…
more
validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only.
Deeper analysisAI
CVE-2026-23447 is a bounds-checking vulnerability in the Linux kernel's USB CDC NCM (Network Control Model) driver, specifically within the cdc_ncm_rx_verify_ndp32() function. The issue mirrors a prior bug fixed in NDP16 handling: the DPE array size is validated against the total skb length without accounting for the ndpoffset, enabling out-of-bounds reads when an NDP32 structure is positioned near the end of the NTB (Network Transfer Block). This flaw, classified under CWE-129 (Improper Validation of Array Index), carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by crafting malicious USB CDC NCM traffic, triggering the faulty bounds check during packet processing. Successful exploitation allows out-of-bounds memory reads, potentially leading to high-impact confidentiality violations (e.g., sensitive kernel data leakage), integrity compromises (e.g., arbitrary memory corruption), or availability disruptions (e.g., kernel crashes), all with low complexity and no user interaction required.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 125f932a76a97904ef8a555f1dd53e5d0e288c54, which add ndpoffset to the nframes bounds check and use struct_size_t() for clearer NDP-plus-DPE-array sizing. These fixes have been compile-tested only; security practitioners should update affected Linux kernels to versions incorporating these changes and monitor for USB CDC NCM device usage in local environments.
Details
- CWE(s)