Description
In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Limit XDomain response copy to actual frame size

tb_xdomain_copy() copies req->response_size bytes from the received
packet buffer regardless of the actual frame size. When a short
response arrives, this reads past the valid frame data in the DMA
pool buffer into stale contents from previous transactions.

Use the minimum of frame size and expected response size for the
copy length.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel’s Thunderbolt driver contains a flaw where the tb_xdomain_copy() function copies response bytes based on the requested response size without verifying that this size does not exceed the actual frame size. When a short response is received, the function reads past the valid data area into stale contents from previous DMA transactions. This results in an out‑of‑bounds memory read (CWE‑125) that can leak kernel data to an attacker. The vulnerability does not allow direct code execution; its primary risk is the disclosure of privileged kernel information if an attacker can trigger the XDomain response copy.

Affected Systems

The issue is present in every Linux kernel build that ships the Thunderbolt driver until the kernel incorporates the fix that limits the copy length to the smaller of the frame size and the expected response size. No specific kernel version thresholds are enumerated, so all current releases are potentially vulnerable unless the patch is applied.

Risk and Exploitability

Because the flaw requires interacting with an XDomain response, exploitation demands either local or elevated privileges that allow a user to send carefully crafted packets to a Thunderbolt device. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the risk becomes appreciable on systems where untrusted users have the ability to communicate with Thunderbolt endpoints, though the lack of remote execution and the need for privileged access means the potential for widespread impact is limited.

Generated by OpenCVE AI on June 25, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a kernel version that incorporates the patch restricting the XDomain copy length.
  • If a kernel upgrade cannot be performed immediately, limit Thunderbolt device access to privileged users only or disable Thunderbolt functionality via BIOS or kernel module options to eliminate the vulnerable code path.
  • Use kernel module blacklist options or disable the Thunderbolt driver entirely when the device is not required.

Generated by OpenCVE AI on June 25, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Limit XDomain response copy to actual frame size tb_xdomain_copy() copies req->response_size bytes from the received packet buffer regardless of the actual frame size. When a short response arrives, this reads past the valid frame data in the DMA pool buffer into stale contents from previous transactions. Use the minimum of frame size and expected response size for the copy length.
Title thunderbolt: Limit XDomain response copy to actual frame size
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:32.877Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53146

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:00:04Z

Weaknesses

No weakness.