{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check",
    "id" : "2454838",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454838"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-131",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check\nThe same bounds-check bug fixed for NDP16 in the previous patch also\nexists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated\nagainst the total skb length without accounting for ndpoffset, allowing\nout-of-bounds reads when the NDP32 is placed near the end of the NTB.\nAdd ndpoffset to the nframes bounds check and use struct_size_t() to\nexpress the NDP-plus-DPE-array size more clearly.\nCompile-tested only.", "A flaw was found in the USB CDC NCM (Network Control Model) driver in the Linux kernel. This vulnerability, a bounds-check bug, occurs when processing NCM Datagram Pointer (NDP32) frames. It fails to correctly account for the `ndpoffset`, which can lead to out-of-bounds reads. This could result in information disclosure or system instability." ],
  "statement" : "This mirrors the NDP16 fix: the DPE array length was checked as if the NDP sat at offset zero. Malicious or buggy USB NCM frames can trigger small OOB reads during receive processing. Impact is limited to systems with CDC NCM USB networking.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23447\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23447\nhttps://lore.kernel.org/linux-cve-announce/2026040315-CVE-2026-23447-dd25@gregkh/T" ],
  "name" : "CVE-2026-23447",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the cdc_ncm module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}