CVE-2026-23448 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators of affected systems that use the cdc_ncm USB networking driver—especially where local attackers may be able to interact with the device path.

Technical summary

cdc_ncm_rx_verify_ndp16() validates an NDP16 structure and its DPE array. The bug is that the second size check treated the NDP as if it started at offset 0, even though the NDP may be located later in the NTB via wNdpIndex/ndpoffset. That can let the descriptor array pass validation even when it extends beyond the skb data buffer. The follow-on iterator in cdc_ncm_rx_fixup() then reads beyond bounds. The resolved change includes ndpoffset in the nframes bounds check and switches to struct_size_t() for clarity.

Defensive priority

High for affected Linux kernels, particularly on systems where the cdc_ncm USB network path is in use and local attacker interaction is possible.

Recommended defensive actions

• Apply the kernel updates that include the cdc_ncm bounds-check fix referenced in the linked stable patches.
• Inventory affected Linux kernel versions and confirm exposure against the NVD version ranges.
• Prioritize patching systems that use USB CDC NCM networking or that accept locally attached USB devices.
• Monitor vendor advisories and kernel package updates tied to the referenced fixes.
• If immediate patching is not possible, reduce exposure by limiting untrusted local access to affected systems.

Evidence notes

Based only on the supplied NVD record and linked kernel patches. The NVD record is marked analyzed, published on 2026-04-03 and modified on 2026-05-21. NVD lists CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8/High) and affected Linux kernel ranges ending at 6.6.130, 6.12.78, 6.18.20, 6.19.10, plus 7.0-rc1 through rc4. The record also cites CWE-129 and includes patch references in stable kernel git links.

Official resources