CVE-2026-23448

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check<br /> <br /> cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE<br /> entries fit within the skb. The first check correctly accounts for<br /> ndpoffset:<br /> <br /> if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) &gt; skb_in-&gt;len)<br /> <br /> but the second check omits it:<br /> <br /> if ((sizeof(struct usb_cdc_ncm_ndp16) +<br /> ret * (sizeof(struct usb_cdc_ncm_dpe16))) &gt; skb_in-&gt;len)<br /> <br /> This validates the DPE array size against the total skb length as if<br /> the NDP were at offset 0, rather than at ndpoffset. When the NDP is<br /> placed near the end of the NTB (large wNdpIndex), the DPE entries can<br /> extend past the skb data buffer even though the check passes.<br /> cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating<br /> the DPE array.<br /> <br /> Add ndpoffset to the nframes bounds check and use struct_size_t() to<br /> express the NDP-plus-DPE-array size more clearly.