CVE-2026-23447

The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdcncmrxverifyndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB.

Add ndpoffset to the nframes bounds check and use structsizet() to express the NDP-plus-DPE-array size more clearly.

Compile-tested only.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23447.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0fa81b304a7973a499f844176ca031109487dd31

Fixed

125f932a76a97904ef8a555f1dd53e5d0e288c54

Fixed

af0d1613d6751489dbf9f69aac1123f0b1e566e5

Fixed

a5bd5a2710310c965ea4153cba4210988a3454e2

Fixed

de70da1fb1d152e981ecb3157f7ec2b633005c16

Fixed

77914255155e68a20aa41175edeecf8121dac391

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

8cf7db86a8984ffa3a3388a8df12bc0aa4c79bd7

Last affected

4ca8b8855264cf1439cdab3da7049bd1e3c2a9e6

Last affected

a270ca35a9499b58366d696d3290eaa4697a42db

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23447.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.7.0

Fixed

6.6.130

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.78

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.20

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.10

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23447.json"