Impact
The bug occurs in the Thunderbolt XDomain packet handling function tb_xdp_handle_request(). The function casts an incoming packet buffer to protocol‑specific structs without verifying that the buffer is large enough for the target type. A malicious peer can send a minimal XDomain packet that satisfies the generic header length check yet is shorter than the struct accessed after the cast, causing an out‑of‑bounds read from the kmemdup allocation. The read can expose kernel memory contents, potentially leaking sensitive data. Based on the description, it is inferred that this out‑of‑bounds read could lead to information disclosure.
Affected Systems
The vulnerability affects the Linux kernel Thunderbolt XDomain subsystem. All systems running any Linux kernel version that has not incorporated the packet size validation patch are affected. The CNA data lists Linux:Linux as the vendor, and no particular kernel versions are listed, so any kernel with the unpatched Thunderbolt XDomain handler could be affected.
Risk and Exploitability
The CVSS score is 8.1, indicating a high severity vulnerability. The EPSS score of <1% suggests a low likelihood of exploitation at present, and the issue is not listed in CISA's KEV catalog. The likely attack vector involves an attacker sending crafted Thunderbolt XDomain packets to a target device that has the vulnerable Thunderbolt driver loaded. Based on the description, it is inferred that the attacker must be able to transmit packets over the Thunderbolt interface, which may require physical proximity or remote access in shared Thunderbolt environments. If Thunderbolt traffic is limited to trusted devices, exploitation risk is further mitigated.
OpenCVE Enrichment
Debian DLA