cve-2026-23447

About this tag
CVE-2026-23447 is a Linux kernel vulnerability in the USB CDC NCM driver's NDP32 bounds check that can lead to out-of-bounds reads. The flaw occurs when the kernel fails to account for ndpoffset during descriptor pointer entry array verification, particularly when the NDP32 structure is near the end of an NTB. This issue is a follow-on to the earlier NDP16 fix and has been assigned a high CVSS 3.1 score in the Microsoft Security Update Guide. Discussions on WindowsForum.com cover the technical details of the bug, its implications for USB networking stacks on affected systems, and the importance of applying patches to mitigate potential security risks.
  1. CVE-2026-23447: USB CDC NCM NDP32 Bounds Check Bug Explained

    CVE-2026-23447 is a narrow Linux kernel bug with broader implications for anyone running USB networking stacks on affected systems. The flaw sits in the cdc_ncm driver’s NDP32 verification path, where the kernel failed to account for ndpoffset when checking the bounds of the descriptor pointer...