SB2026040689 - Out-of-bounds read in Linux kernel net usb driver



SB2026040689 - Out-of-bounds read in Linux kernel net usb driver

Published: April 6, 2026

Security Bulletin ID SB2026040689
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Out-of-bounds read (CVE-ID: CVE-2026-23447)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in cdc_ncm_rx_verify_ndp32() when processing a crafted NDP32 structure in a received NTB. A remote attacker can send a specially crafted network packet to disclose sensitive information.

The issue occurs because the DPE array size is validated against the total skb length without accounting for ndpoffset, allowing reads beyond the intended bounds when the NDP32 is placed near the end of the NTB.


Remediation

Install update from vendor's website.