A newly disclosed vulnerability in the Linux kernel has put USB networking stacks on alert. Tracked as CVE-2026-23447, the flaw resides in the cdc_ncm driver's handling of NDP32 descriptors. It is an out-of-bounds read bug that can be triggered by a malicious USB device. The vulnerability affects kernel versions from 2.6.28 onward, but the practical impact depends on system configuration and use cases.

The bug was discovered by security researcher Andrey Konovalov, who reported it through the syzbot fuzzing framework. The issue was assigned a CVSS v3.1 base score of 4.6, indicating medium severity. While the bug does not allow arbitrary code execution on its own, it can lead to information disclosure or system instability.

Technical Details

The flaw exists in the function cdc_ncm_ndp32_offset() within the file drivers/net/usb/cdc_ncm.c. This function is responsible for parsing NDP32 (Network Data Pointer 32-bit) structures from USB CDC NCM (Communications Device Class Network Control Model) devices. The problem is an insufficient bounds check: the function validates the length of the NDP32 descriptor but fails to properly check the offset values within the descriptor. An attacker with physical access to the system can plug in a malicious USB device that sends a crafted NDP32 descriptor with an out-of-bounds offset. This causes the kernel to read memory beyond the intended buffer.

Specifically, the function cdc_ncm_ndp32_offset() iterates over NDP32 datagram pointers. It checks that the total length of the NDP32 is within the received frame, but it does not verify that each individual datagram pointer's offset falls within the NDP32 itself. As a result, a malicious device can set a datagram pointer to point outside the NDP32, leading to an out-of-bounds read. The kernel may then crash (NULL pointer dereference) or leak sensitive kernel memory.

Impact and Exploitability

The vulnerability is classified as an out-of-bounds read. In the worst case, an attacker could leak kernel memory, which might contain sensitive information like encryption keys or user credentials. However, the attack requires physical access to the USB port, which significantly limits the threat scope. For most users, the risk is low. But for systems that accept USB devices from untrusted sources—such as public kiosks, shared workstations, or embedded devices in industrial settings—the bug poses a real danger.

It is worth noting that the bug does not allow remote exploitation. The attacker must plug a malicious USB device directly into the target machine. This reduces the likelihood of widespread attacks but still makes it a concern for environments with high physical security requirements.

Affected Versions and Patches

CVE-2026-23447 affects Linux kernel versions from 2.6.28 (released in 2008) up to and including 6.12-rc4. The fix was committed to the mainline kernel on November 15, 2025, and is included in kernel version 6.12-rc5. The patch adds an additional bounds check to ensure that each datagram pointer offset is within the NDP32 descriptor. The commit message reads: "cdc_ncm: add missing bounds check in cdc_ncm_ndp32_offset()."

For enterprise users, the fix is being backported to stable kernels. Red Hat, Canonical, and SUSE have all released security advisories. Red Hat rates the impact as Moderate. Users are strongly advised to update their kernels to the latest patched version.

Workarounds

If patching is not immediately possible, administrators can mitigate the vulnerability by restricting physical access to USB ports. Disable unused USB ports via BIOS or use USB port blockers. Additionally, the cdc_ncm module can be blacklisted if not needed. However, this will break USB networking functionality.

Conclusion

CVE-2026-23447 is a classic example of a bounds-checking flaw in a kernel driver. While its exploitability is limited by the need for physical access, the potential for information leakage makes it a serious concern for security-conscious environments. The patch is straightforward and should be applied promptly. As always, keeping your kernel up to date is the best defense against such vulnerabilities.